CVE-2026-54410
HIGH
CVSS 7.8
No EPSS data
Description
nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-54410",
"cveTags": [],
"metrics": {
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-54410",
"role": "CISA Coordinator",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "partial"
}
],
"version": "2.0.3",
"timestamp": "2026-06-15T17:00:11.456275Z"
}
}
],
"cvssMetricV2": [
{
"type": "Secondary",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"cvssData": {
"version": "2.0",
"baseScore": 9,
"accessVector": "NETWORK",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:C",
"authentication": "NONE",
"integrityImpact": "PARTIAL",
"accessComplexity": "LOW",
"availabilityImpact": "COMPLETE",
"confidentialityImpact": "PARTIAL"
},
"acInsufInfo": false,
"impactScore": 8.5,
"baseSeverity": "HIGH",
"obtainAllPrivilege": false,
"exploitabilityScore": 10,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"type": "Secondary",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 8.6,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"integrityImpact": "LOW",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "LOW"
},
"impactScore": 4.7,
"exploitabilityScore": 3.9
}
],
"cvssMetricV40": [
{
"type": "Secondary",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"cvssData": {
"Safety": "NOT_DEFINED",
"version": "4.0",
"Recovery": "NOT_DEFINED",
"baseScore": 7.8,
"Automatable": "YES",
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X",
"exploitMaturity": "PROOF_OF_CONCEPT",
"providerUrgency": "NOT_DEFINED",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"subIntegrityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"vulnAvailabilityImpact": "HIGH",
"availabilityRequirement": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"subConfidentialityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED"
}
}
]
},
"affected": [
{
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"affectedData": [
{
"repo": "https://github.com/debevv/nanoMODBUS",
"vendor": "debevv",
"product": "nanoMODBUS",
"versions": [
{
"status": "affected",
"version": "0",
"versionType": "semver",
"lessThanOrEqual": "1.23.0"
}
],
"programFiles": [
"nanomodbus.c"
],
"collectionURL": "https://github.com/debevv/nanoMODBUS",
"defaultStatus": "unknown",
"programRoutines": [
{
"name": "recv_msg_header"
}
]
}
]
}
],
"published": "2026-06-14T18:17:20.330",
"references": [
{
"url": "https://cwe.mitre.org/data/definitions/193.html",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"
},
{
"url": "https://cwe.mitre.org/data/definitions/787.html",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"
},
{
"url": "https://github.com/debevv/nanoMODBUS",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"
},
{
"url": "https://github.com/debevv/nanoMODBUS/blob/v1.23.0/nanomodbus.c#L369",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"
}
],
"vulnStatus": "Deferred",
"weaknesses": [
{
"type": "Secondary",
"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c",
"description": [
{
"lang": "en",
"value": "CWE-193"
},
{
"lang": "en",
"value": "CWE-787"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path."
}
],
"lastModified": "2026-06-17T10:58:13.263",
"sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c"
}
}