Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the non-default MESH_BED_LEVELING build requirement; PR:N because G-code channels are typically unauthenticated; C:N as only integrity and availability are affected via memory corruption.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1, when built with MESH_BED_LEVELING enabled, contains an out-of-bounds write vulnerability in the M421 G-code handler that allows attackers to corrupt firmware memory by supplying out-of-range X and Y grid indices. Attackers can send a single crafted G-code command via USB serial, network interface, or malicious gcode file to write an attacker-controlled 32-bit float value past the z_values array bounds, corrupting adjacent firmware variables and causing denial of service or firmware state corruption.
AnalysisAI
Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the firmware to be built with MESH_BED_LEVELING enabled - without that compile-time option the vulnerable M421 handler is not present. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent toward a real, prioritizable issue but bounded by deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a network-exposed Marlin printer (or who tricks an operator into printing a malicious .gcode file) sends a single 'M421 I<large> J<large> Z<value>' command with grid indices beyond GRID_MAX_POINTS_X/Y. The handler writes the 32-bit float past z_values into adjacent firmware memory, corrupting state and crashing or destabilizing the controller. … |
| Remediation | Upstream fix available (PR/commit); a released patched version is not independently confirmed beyond commit 1f255d1, so update to a Marlin build that includes commit 1f255d16ec2d456454fd444494cfb338d62b0fa1 (PR #28468) - i.e., rebuild and reflash from current main or any release tagged after 2.1.2.7 that contains it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all 3D printers running Marlin Firmware through version 2.1.2.7 with MESH_BED_LEVELING enabled; disable external G-code submission if patches cannot be applied immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38797
GHSA-x5qg-qgv8-q7cr