Home

Description

nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.

PUBLISHED Reserved 2026-06-13 | Published 2026-06-14 | Updated 2026-06-15 | Assigner TuranSec




HIGH: 7.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y

An attacker who can reach the TCP listening port of a Modbus/TCP server built on nanoMODBUS (typically TCP/502 on industrial / OT networks) sends a single crafted MBAP frame with Length=255 to corrupt the buf_idx field of the nmbs_t struct, causing denial of service or, on memory-protection-less embedded targets, additional information disclosure or unintended register writes.

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

9.0AV:N/AC:L/Au:N/C:P/I:P/A:C

Problem types

CWE-193 Off-by-one Error

CWE-787 Out-of-bounds Write

Product status

Default status
unknown

Any version
affected

Credits

Burxonov Muslimbek finder

References

github.com/debevv/nanoMODBUS (nanoMODBUS - upstream repository (vendor)) product

github.com/debevv/nanoMODBUS/blob/v1.23.0/nanomodbus.c (Vulnerable bounds check at nanomodbus.c line 369 (v1.23.0)) product

cwe.mitre.org/data/definitions/193.html (CWE-193: Off-by-one Error) technical-description

cwe.mitre.org/data/definitions/787.html (CWE-787: Out-of-bounds Write) technical-description

cve.org (CVE-2026-54410)

nvd.nist.gov (CVE-2026-54410)

Download JSON