HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-54410Published Modified CNA TuranSec

CVE-2026-54410: nanoMODBUS through v1

nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows remote unauthenticated attackers to write one attacker-controlled byte past the end of the 260-byte receive buffer by sending a crafted MBAP frame whose Length field is set to 255. The overflow corrupts the adjacent buffer-index field of the nanoMODBUS state structure, resulting in denial of service through invalid memory accesses and, on bare-metal and RTOS targets without memory protection, one-byte information disclosure and writes to unintended register addresses on the Write Multiple Registers (FC16) handler path.

Metrics

CVSS v4.0
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An off-by-one buffer overflow in the nanoMODBUS library (versions through 1.23.0) exists in the recv_msg_header() function of the Modbus/TCP server implementation. A remote, unauthenticated attacker can trigger the overflow by sending a crafted MBAP frame with a Length field of 255, writing one attacker-controlled byte past the end of a 260-byte receive buffer. Successful exploitation crashes the affected service and, on bare-metal or RTOS targets without memory protection, enables one-byte data disclosure and unintended writes to register addresses via the FC16 handler path. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-54410 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle nanoMODBUS at an affected version.

Available
Triage

Triage is available using the CVSS v4.0 score of 7.8 (HIGH), weighted against each customer organization's configured compliance policy. Findings are routed to the appropriate team inbox within each environment based on severity thresholds and workload tagging rules.

Available
Patch

Because no upstream fix version exists for CVE-2026-54410, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is published upstream. In the interim, compensating controls are available for review in the HarborGuard remediation panel, including network-policy isolation of Modbus/TCP listeners and egress filtering to reduce exposure of affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable Modbus/TCP server must be reachable over the network; an attacker sends a crafted MBAP frame to the listening port with no prior session or handshake required.

  • AuthenticationNot required

    No credentials or account are needed; the overflow is triggered by a single unauthenticated TCP frame.

  • Victim interactionNot required

    No user action or interaction is required; the server processes the malicious frame automatically on receipt.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; the attacker only needs to set the MBAP Length field to 255 and no race conditions or specific memory layout knowledge are required to trigger the overflow.

Blast Radius

  • Crashes the nanoMODBUS Modbus/TCP server through invalid memory accesses, taking the affected service offline.
  • On bare-metal and RTOS targets without memory protection, reads one byte of data from memory adjacent to the receive buffer, leaking internal state.
  • On bare-metal and RTOS targets without memory protection, writes one attacker-controlled byte to unintended register addresses via the Write Multiple Registers (FC16) handler, corrupting device register state.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-54410 has been published, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as debevv releases a corrected version of nanoMODBUS. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual intervention. While no patch exists, the HarborGuard remediation panel surfaces compensating-control guidance for affected environments: isolating Modbus/TCP listener ports via Kubernetes NetworkPolicy or firewall rules to restrict inbound access to trusted hosts only, applying egress filtering on Modbus/TCP workloads to limit lateral reach, and, where the deployment model allows, disabling or sandboxing FC16 handler paths on targets without hardware memory protection. Customers should review impacted images flagged in their HarborGuard dashboard and assess whether bare-metal or RTOS deployment contexts increase exposure beyond the base CVSS score.

See how HarborGuard automates this
Affected packages
  • debevv / nanoMODBUS
    ≤ 1.23.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/AU:Y
References