nanoMODBUS through v1.23.0 contains an off-by-one buffer...
High severity
Unreviewed
Published
Jun 14, 2026
to the GitHub Advisory Database
•
Updated Jun 14, 2026
Description
Published by the National Vulnerability Database
Jun 14, 2026
Published to the GitHub Advisory Database
Jun 14, 2026
Last updated
Jun 14, 2026
nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.
References