Skip to main content

nanoMODBUS EUVD-2026-36661

| CVE-2026-54410 HIGH
Off-by-one Error (CWE-193)
2026-06-14 TuranSec GHSA-6f53-f2m4-6j2h
Denial Of Service Information Disclosure Buffer Overflow Nanomodbus
7.8
CVSS 4.0 · Vendor: TuranSec
Share

Severity by source

Vendor (TuranSec) PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Single crafted Modbus/TCP frame on port 502 with no auth or interaction (AV:N/AC:L/PR:N/UI:N); reliable DoS gives A:H while conditional one-byte leak and unintended writes give C:L/I:L.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (TuranSec).

CVSS VectorVendor: TuranSec

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 14, 2026 - 17:42 vuln.today

DescriptionCVE.org

nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.

AnalysisAI

Off-by-one buffer overflow in nanoMODBUS through v1.23.0 lets remote unauthenticated attackers write one attacker-controlled byte past a 260-byte receive buffer in the Modbus/TCP server's recv_msg_header() function. The corruption of the adjacent buffer-index field can cause denial of service on all targets and, on bare-metal/RTOS deployments without memory protection, leak one byte of memory and trigger unintended writes through the Write Multiple Registers (FC16) handler. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed Modbus/TCP port 502
Delivery
Establish TCP connection to server
Exploit
Send MBAP frame with Length=255
Install
Trigger off-by-one past 260-byte buffer
C2
Corrupt state buffer-index field
Execute
Issue FC16 Write Multiple Registers with skewed index
Impact
Crash service or write unintended physical registers
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be running nanoMODBUS ≤ v1.23.0 compiled with the Modbus/TCP server role and reachable on TCP/502 from the attacker; no authentication, user interaction, or non-default configuration is required because Modbus/TCP has no native auth. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, VA:H, VC:L/VI:L) accurately reflects a remote, unauthenticated, low-complexity reach with high availability impact and low confidentiality/integrity impact, consistent with the description's primary DoS outcome and conditional info-disclosure/unintended-write secondaries. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with TCP reach to a device's Modbus/TCP port 502 opens a connection and sends a single MBAP frame whose 16-bit Length field is set to 255, triggering the off-by-one write at the end of the 260-byte receive buffer and corrupting the state machine's buffer-index. On a Linux target the service crashes (DoS of the industrial endpoint); on an RTOS or bare-metal PLC, the attacker follows up with a Write Multiple Registers (FC16) request that, due to the corrupted index, lands at an unintended register address - potentially altering a setpoint or coil that controls a physical process. …
Remediation No vendor-released patch identified at time of analysis; monitor the upstream repository at https://github.com/debevv/nanoMODBUS for a release succeeding v1.23.0 and rebuild/reflash firmware once a fixed tag is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all systems running nanoMODBUS and classify by deployment type (bare-metal, RTOS, or protected OS) and network criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36661 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy