Vulnerability Description
nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library writes register data from the server response to the caller-provided buffer based on the response's byte_count field before validating that byte_count matches the requested quantity. A malicious Modbus TCP server can send a response with byte_count=250 (125 registers) regardless of the requested quantity, causing up to 248 bytes of attacker-controlled data to overflow the buffer, potentially allowing remote code execution.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://gist.github.com/dwilliams27/a4e26fe747c8561d608f7549804bd85f
- https://github.com/debevv/nanoMODBUS
- https://github.com/debevv/nanoMODBUS/blob/master/nanomodbus.c#L580-L615
FAQ
What is CVE-2026-29972?
CVE-2026-29972 is a vulnerability with a CVSS score of 8.2 (HIGH). nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recv_read_registers_res() in nanomodbus.c. When a client calls nmbs_read_holding_registers() or nmbs_read_input_registers(), the library...
How severe is CVE-2026-29972?
CVE-2026-29972 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-29972?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.