Home

Description

OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in CIP message parsing when handling malformed explicit requests with a forged EPath size. An attacker can send a valid ENIP SendRRData frame carrying a very short CIP payload whose path_size field claims that many more path words are present than are actually available. Because the parser trusts the attacker-controlled path_size and continues decoding path segments without a remaining-length boundary, it reads beyond the end of the stack receive buffer.

PUBLISHED Reserved 2026-06-08 | Published 2026-07-13 | Updated 2026-07-13 | Assigner mitre

References

github.com/EIPStackGroup/OpENer/issues/582

gist.github.com/MrAlaskan/705c680856e48c535148265c0899ad4b

cve.org (CVE-2026-51541)

nvd.nist.gov (CVE-2026-51541)

Download JSON