Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.
AnalysisAI
Memory corruption in arduino-esp32's NBNS packet handler allows adjacent network attackers to achieve remote code execution on ESP32-family microcontrollers without authentication. Affects all versions prior to 3.3.8 when NetBIOS is explicitly enabled via NBNS.begin(). The parser trusts attacker-controlled name_len field from UDP port 137 traffic, writing unbounded data to fixed-size buffers. EPSS data not available, no CISA KEV listing, but GitHub security advisory confirms the vulnerability with patch released in version 3.3.8.
Technical ContextAI
This vulnerability affects the arduino-esp32 core library used for programming ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers in the Arduino development environment. NetBIOS Name Service (NBNS) is a legacy protocol operating on UDP port 137 for name resolution in local networks, primarily used for Windows network discovery. The vulnerability is a classic unbounded copy issue (CWE-121: Stack-based Buffer Overflow) where the NBNS request parser reads the name_len field from an incoming packet and uses it to copy data into fixed-size stack or heap buffers without validating that the length fits within the destination buffer bounds. ESP32 microcontrollers are resource-constrained embedded devices commonly used in IoT applications, smart home devices, and industrial control systems, making memory safety vulnerabilities particularly critical as they often lack modern exploit mitigations like DEP or ASLR.
RemediationAI
Upgrade arduino-esp32 to version 3.3.8 or later, which contains bounds checking for the name_len field in the NBNS packet parser. Update the library through the Arduino IDE Library Manager or modify the platform definition in the Arduino cores directory. For deployments unable to immediately upgrade, disable NetBIOS functionality by removing all NBNS.begin() calls from application code-this completely eliminates the attack surface as the vulnerable code path is only reachable when NBNS is explicitly started. As a network-level compensating control, implement firewall rules to block incoming UDP port 137 traffic to ESP32 devices, though this may break legitimate NetBIOS name resolution functionality if required by the application. For defense-in-depth, segment IoT devices into isolated VLANs with strict ingress filtering to limit adjacent network access, reducing the pool of potential attackers who can reach UDP 137. Review application code to verify whether NetBIOS is actually required for functionality, as many ESP32 deployments include it unnecessarily during development testing.
More in Arduino Esp32
View allThe EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Pr
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Pr
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25619