Skip to main content

CIPster EUVDEUVD-2026-45163

| CVE-2026-16013 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-17 VulDB GHSA-w4qj-vxw3-g77r
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable CIP parser with no auth required; OOB read can disclose adjacent stack memory (C:L) and crash the process (A:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
Jul 17, 2026 - 12:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Source Code Evidence Fetched
Jul 17, 2026 - 12:21 vuln.today
Analysis Generated
Jul 17, 2026 - 12:21 vuln.today
CVE Published
Jul 17, 2026 - 11:45 cve.org
MEDIUM 6.9

DescriptionCVE.org

A vulnerability has been found in liftoff-sr CIPster up to 632336d414ef708a542377c1aa8d6fdb7c70a760. Affected by this issue is the function CipAppPath::deserialize_symbolic of the file source/src/cip/cipepath.cc. Such manipulation leads to out-of-bounds read. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The name of the patch is 886a4d090e1c5b0475f0b1c2fe0606a8f0d6a519. A patch should be applied to remediate this issue.

AnalysisAI

Out-of-bounds read in CIPster's EtherNet/IP symbolic path parser exposes industrial control systems to remote availability disruption and potential memory disclosure. The flaw resides in CipAppPath::deserialize_symbolic (source/src/cip/cipepath.cc), where unsafe memcpy calls copy attacker-controlled byte counts from a network-supplied CIP symbolic path segment into a fixed-size stack buffer without bounds enforcement, reachable by a remote unauthenticated attacker sending a crafted EtherNet/IP explicit messaging request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify CIPster device on TCP port 44818
Delivery
Craft CIP explicit message with oversized symbolic path length field
Exploit
Send malformed EtherNet/IP request to target
Execution
Trigger out-of-bounds read in deserialize_symbolic
Impact
Cause stack crash or adjacent memory disclosure

Vulnerability AssessmentAI

Exploitation The target device must be running a CIPster build prior to commit 886a4d090e1c5b0475f0b1c2fe0606a8f0d6a519 with its EtherNet/IP listener reachable on the network (typically TCP port 44818). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (Medium) with vector AV:N/AC:L/AT:N/PR:N/UI:N reflects that exploitation requires no authentication and no special preconditions, but the official scoring assigns only low availability impact (VA:L) and no confidentiality impact (VC:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to TCP port 44818 on a device running CIPster sends a crafted EtherNet/IP explicit messaging request containing a symbolic path segment with an oversized `byte_count` or `symbol_size` field. The `deserialize_symbolic` function passes the attacker-controlled length directly to `memcpy`, which reads beyond the bounds of the fixed-size stack-allocated `tag` buffer, potentially crashing the CIP stack process or leaking adjacent stack memory contents. …
Remediation Apply patch commit 886a4d090e1c5b0475f0b1c2fe0606a8f0d6a519 from the CIPster GitHub repository (https://github.com/liftoff-sr/CIPster/commit/886a4d090e1c5b0475f0b1c2fe0606a8f0d6a519), which replaces unsafe `memcpy` calls with the bounds-enforcing `BufReader::get_bytes()` method and adds `std::range_error` handling in the message router. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy