Skip to main content

CODESYS Modbus EUVDEUVD-2026-29390

| CVE-2026-35227 HIGH
Missing Release of Resource after Effective Lifetime (CWE-772)
2026-05-12 CERTVDE GHSA-qc33-pwh4-j9rq
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 12, 2026 - 10:00 vuln.today
Patch available
May 12, 2026 - 09:01 EUVD
CVSS changed
May 12, 2026 - 08:22 NVD
8.2 (HIGH)
CVE Published
May 12, 2026 - 07:14 nvd
UNKNOWN (no severity yet)
CVE Published
May 12, 2026 - 07:14 nvd
HIGH 8.2

DescriptionCVE.org

An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new connections.

AnalysisAI

TCP connection exhaustion in CODESYS Modbus TCP Server allows remote unauthenticated attackers to trigger a race condition in connection handling, depleting all available TCP connections and denying service to legitimate industrial automation clients. CVSS 8.2 (High) reflects high availability impact. No active exploitation confirmed (not in CISA KEV), but attack complexity is low with present race condition opportunity (AT:P). Patch available from vendor for versions prior to 4.6.0.0.

Technical ContextAI

CODESYS Modbus TCP Server implements the Modbus TCP protocol (TCP/502), a widely-used industrial automation protocol for SCADA and PLC communication. The vulnerability stems from CWE-772 (Missing Release of Resource after Effective Lifetime) - a classic resource exhaustion flaw where connection objects are not properly released after use. A race condition in the TCP connection handler allows an attacker to trigger simultaneous connection attempts that bypass normal resource cleanup, causing file descriptor or socket pool exhaustion. This affects the CODESYS Modbus stack (CPE: cpe:2.3:a:codesys:codesys_modbus), a commercial Modbus server library integrated into industrial control systems. Modbus TCP typically maintains a limited connection pool (often 5-10 concurrent connections); exhausting this pool renders the device unresponsive to legitimate HMI clients, engineering workstations, or supervisory systems.

RemediationAI

Upgrade CODESYS Modbus to version 4.6.0.0 or later, which addresses the race condition in TCP connection handling. Consult device manufacturer for firmware update procedures, as CODESYS Modbus is typically embedded in third-party industrial hardware. If immediate patching is not feasible, implement network-level compensating controls: (1) Deploy Modbus TCP gateway or proxy with connection rate limiting (e.g., max 2 new connections/second per source IP) to prevent rapid connection attempts needed to exploit the race window - trade-off: may slow legitimate client reconnections during network events; (2) Configure stateful firewall rules restricting Modbus TCP (port 502) access to explicitly authorized HMI/SCADA IP addresses only - eliminates remote unauthenticated attack surface but requires maintaining accurate IP allowlists; (3) Enable connection monitoring/alerting for abnormal Modbus TCP connection patterns (connection attempts exceeding normal baseline) to detect exploitation attempts. Workarounds reduce but do not eliminate risk; patching remains the definitive fix. Advisory: https://certvde.com/de/advisories/VDE-2026-042.

Share

EUVD-2026-29390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy