Description
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from the local network.
The request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.
Published: 2026-04-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Memory Corruption
Action: Apply Patch
AI Analysis

Impact

Prior to version 3.3.8 the Arduino core for ESP32 devices parses NetBIOS Name Service (NBNS) packets without validating the name_len field and copies the resulting payload into a fixed‑size buffer. This flaw allows an attacker on the same local network to send a crafted UDP packet to port 137 and trigger a memory corruption that can lead to arbitrary code execution or system crash. The vulnerability is listed under CWE‑121, a stack buffer overflow. The high CVSS score of 8.8 reflects the potential for severe impact on confidentiality, integrity, and availability when the flaw is exploited.

Affected Systems

The affected product is espressif:arduino-esp32, the Arduino core for ESP32, ESP32‑S2, ESP32‑S3, ESP32‑C3, ESP32‑C6 and ESP32‑H2 microcontrollers. All releases prior to 3.3.8 are vulnerable; the flaw is fixed in version 3.3.8 and later.

Risk and Exploitability

CVSS 8.8 places this issue in the high severity range, and the EPSS score of less than 1% indicates a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, yet it can be exploited by an adversary who can send packets to the affected device from the local network. The actor needs only local network access; network segmentation or firewall rules that block UDP port 137 reduce the attack surface. Because the flaw leads to memory corruption, an exploit could achieve arbitrary code execution or denial of service depending on the device configuration.

Generated by OpenCVE AI on April 28, 2026 at 05:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Arduino ESP32 core to version 3.3.8 or later
  • If NetBIOS is not required, disable NBNS by removing the NBNS.begin(...) call from the code
  • Configure network or firewall rules to block or restrict UDP traffic on port 137 to limit local‑network reachability

Generated by OpenCVE AI on April 28, 2026 at 05:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Espressif esp32
Espressif esp32-c3
Espressif esp32-c6
Espressif esp32-h2
Espressif esp32-s2
Espressif esp32-s3
CPEs cpe:2.3:a:espressif:arduino-esp32:*:*:*:*:*:*:*:*
cpe:2.3:h:espressif:esp32-c3:-:*:*:*:*:*:*:*
cpe:2.3:h:espressif:esp32-c6:-:*:*:*:*:*:*:*
cpe:2.3:h:espressif:esp32-h2:-:*:*:*:*:*:*:*
cpe:2.3:h:espressif:esp32-s2:-:*:*:*:*:*:*:*
cpe:2.3:h:espressif:esp32-s3:-:*:*:*:*:*:*:*
cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*
Vendors & Products Espressif esp32
Espressif esp32-c3
Espressif esp32-c6
Espressif esp32-h2
Espressif esp32-s2
Espressif esp32-s3

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Espressif
Espressif arduino-esp32
Vendors & Products Espressif
Espressif arduino-esp32

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.
Title Improper validation of NBNS name_len in arduino-esp32 NetBIOS leads to memory corruption
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Espressif Arduino-esp32 Esp32 Esp32-c3 Esp32-c6 Esp32-h2 Esp32-s2 Esp32-s3
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:34:49.485Z

Reserved: 2026-04-20T15:32:33.814Z

Link: CVE-2026-41429

cve-icon Vulnrichment

Updated: 2026-04-27T13:10:49.777Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T20:16:27.663

Modified: 2026-05-05T18:12:04.277

Link: CVE-2026-41429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses