8.6 CVE-2026-54410

Enriched by CISA

nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.
https://nvd.nist.gov/vuln/detail/CVE-2026-54410

Categories

CWE-193 : Off-by-one Error
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. An "off-by-five" error was reported for sudo in 2002 (CVE-2002-0184), but that is more like a "length calculation" error. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf(). Off-by-one error allows remote attackers to cause a denial of service and possibly execute arbitrary code via requests that do not contain newlines. Off-by-one vulnerability in driver allows users to modify kernel memory. Off-by-one error allows local users or remote malicious servers to gain privileges. Off-by-one buffer overflow in function usd by server allows local users to execute arbitrary code as the server user via .htaccess files with long entries. Off-by-one buffer overflow in version control system allows local users to execute arbitrary code. Off-by-one error in FTP server allows a remote attacker to cause a denial of service (crash) via a long PORT command. Off-by-one buffer overflow in FTP server allows local users to gain privileges via a 1024 byte RETR command. Multiple buffer overflows in chat client allow remote attackers to cause a denial of service and possibly execute arbitrary code. Multiple off-by-one vulnerabilities in product allow remote attackers to cause a denial of service and possibly execute arbitrary code. Off-by-one buffer overflow in server allows remote attackers to cause a denial of service and possibly execute arbitrary code. This is an interesting example that might not be an off-by-one. An off-by-one enables a terminating null to be overwritten, which causes 2 strings to be merged and enable a format string. Off-by-one error allows source code disclosure of files with 4 letter extensions that match an accepted 3-letter extension. Off-by-one buffer overflow. Off-by-one error causes an snprintf call to overwrite a critical internal variable with a null value. Off-by-one error in function used in many products leads to a buffer overflow during pathname management, as demonstrated using multiple commands in an FTP server. Off-by-one error allows read of sensitive memory via a malformed request. Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion.

References

309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

https://cwe.mitre.org/data/definitions/193.html
https://cwe.mitre.org/data/definitions/787.html
https://github.com/debevv/nanoMODBUS
https://github.com/debevv/nanoMODBUS/blob/v1.23.0/nanomodbus.c#L369

AFFECTED (from MITRE)

Vendor	Product	Versions
debevv	nanoMODBUS	≤ 1.23.0 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee