CVE-2026-54410

CVE-2026-54410 PUBLISHED

Assigner: TuranSec
Reserved: 13.06.2026 Published: 14.06.2026 Updated: 14.06.2026

nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y
CVSS Score: 7.8

An attacker who can reach the TCP listening port of a Modbus/TCP server built on nanoMODBUS (typically TCP/502 on industrial / OT networks) sends a single crafted MBAP frame with Length=255 to corrupt the buf_idx field of the nmbs_t struct, causing denial of service or, on memory-protection-less embedded targets, additional information disclosure or unintended register writes.

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	Low	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVSS Score: 8.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C
CVSS Score: 9

Access Vector	Network	Confidentiality Impact	Partial
Access Complexity	Low	Integrity Impact	Partial
Authentication	None	Availability Impact	Complete

CVSS 2.0

Product Status

Vendor	debevv
Product	nanoMODBUS
Versions	Default: unknown affected from 0 to 1.23.0 (incl.)

Vendor

debevv

Product

nanoMODBUS

Versions

Default: unknown

affected from 0 to 1.23.0 (incl.)

Credits

Burxonov Muslimbek finder

References

Problem Types

CWE-193 Off-by-one Error CWE
CWE-787 Out-of-bounds Write CWE

Impacts

A remote unauthenticated attacker who can reach a Modbus/TCP server built on nanoMODBUS can send a crafted MBAP frame with the Length field set to 255 to overflow the 260-byte receive buffer by one byte, corrupting the adjacent buf_idx field of the nmbs_t struct with an attacker-controlled value. This yields denial of service (subsequent handler calls treat the corrupted buf_idx as a register count / offset and crash, hang, or return invalid data), one-byte information disclosure on bare-metal and RTOS targets without memory protection (ARM Cortex-M, ESP32, STM32 class), and the possibility of writing to unintended register addresses on the FC16 (Write Multiple Registers) handler path. No authentication, no user interaction, and no special configuration are required.