nanoMODBUS through v1.22.0 has a stack-based buffer overflow in recvreadregistersres() in nanomodbus.c. When a client calls nmbsreadholdingregisters() or nmbsreadinputregisters(), the library writes register data from the server response to the caller-provided buffer based on the response's bytecount field before validating that bytecount matches the requested quantity. A malicious Modbus TCP server can send a response with bytecount=250 (125 registers) regardless of the requested quantity, causing up to 248 bytes of attacker-controlled data to overflow the buffer, potentially allowing remote code execution.
{
"cna_assigner": "mitre",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29972.json"
}