Skip to main content

Marlin Firmware CVE-2026-56111

| EUVDEUVD-2026-38797 HIGH
Improper Validation of Array Index (CWE-129)
2026-06-24 VulnCheck GHSA-x5qg-qgv8-q7cr
8.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

AC:H reflects the non-default MESH_BED_LEVELING build requirement; PR:N because G-code channels are typically unauthenticated; C:N as only integrity and availability are affected via memory corruption.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 24, 2026 - 15:51 vuln.today
Analysis Generated
Jun 24, 2026 - 15:51 vuln.today

DescriptionCVE.org

Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1, when built with MESH_BED_LEVELING enabled, contains an out-of-bounds write vulnerability in the M421 G-code handler that allows attackers to corrupt firmware memory by supplying out-of-range X and Y grid indices. Attackers can send a single crafted G-code command via USB serial, network interface, or malicious gcode file to write an attacker-controlled 32-bit float value past the z_values array bounds, corrupting adjacent firmware variables and causing denial of service or firmware state corruption.

AnalysisAI

Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach printer G-code interface (serial/network/file)
Delivery
Craft M421 with out-of-range I/J indices
Exploit
Trigger out-of-bounds write past z_values
Execution
Corrupt adjacent firmware variables
Impact
Denial of service or firmware state corruption

Vulnerability AssessmentAI

Exploitation Exploitation requires the firmware to be built with MESH_BED_LEVELING enabled - without that compile-time option the vulnerable M421 handler is not present. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent toward a real, prioritizable issue but bounded by deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a network-exposed Marlin printer (or who tricks an operator into printing a malicious .gcode file) sends a single 'M421 I<large> J<large> Z<value>' command with grid indices beyond GRID_MAX_POINTS_X/Y. The handler writes the 32-bit float past z_values into adjacent firmware memory, corrupting state and crashing or destabilizing the controller. …
Remediation Upstream fix available (PR/commit); a released patched version is not independently confirmed beyond commit 1f255d1, so update to a Marlin build that includes commit 1f255d16ec2d456454fd444494cfb338d62b0fa1 (PR #28468) - i.e., rebuild and reflash from current main or any release tagged after 2.1.2.7 that contains it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all 3D printers running Marlin Firmware through version 2.1.2.7 with MESH_BED_LEVELING enabled; disable external G-code submission if patches cannot be applied immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy