Description
Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1, when built with MESH_BED_LEVELING enabled, contains an out-of-bounds write vulnerability in the M421 G-code handler that allows attackers to corrupt firmware memory by supplying out-of-range X and Y grid indices. Attackers can send a single crafted G-code command via USB serial, network interface, or malicious gcode file to write an attacker-controlled 32-bit float value past the z_values array bounds, corrupting adjacent firmware variables and causing denial of service or firmware state corruption.
Published: 2026-06-24
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Marlin Firmware version 2.1.2.7 and earlier, when built with MESH_BED_LEVELING, contains an out‑of‑bounds write in the M421 G‑code handler. By supplying X and Y grid indices that exceed the array bounds, an attacker can write an arbitrary 32‑bit float past the z_values array, corrupting adjacent firmware variables and causing denial of service or firmware state corruption.

Affected Systems

The affected products are Marlin Firmware from MarlinFirmware:Marlin. Versions up to and including 2.1.2.7, compiled with MESH_BED_LEVELING enabled, are vulnerable. The issue was fixed in the commit 1f255d1 and subsequent releases.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity vulnerability. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalogue. The attack can be performed by sending a single crafted G‑code command over USB, a network interface, or a malicious gcode file, so an attacker with access to send G‑code to the printer can exploit the flaw without additional privileges.

Generated by OpenCVE AI on June 24, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Marlin firmware release that incorporates the fix (commit 1f255d16) to remove the out‑of‑bounds write vulnerability.
  • If an update cannot be applied immediately, disable the MESH_BED_LEVELING feature or remove support for the M421 G‑code command to eliminate the vulnerable code path.
  • Restrict access to G‑code input channels and validate G‑code files to ensure that X and Y indices are within the valid range before they are processed, thereby preventing accidental out‑of‑bounds writes.

Generated by OpenCVE AI on June 24, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Marlinfirmware
Marlinfirmware marlin
Vendors & Products Marlinfirmware
Marlinfirmware marlin

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1, when built with MESH_BED_LEVELING enabled, contains an out-of-bounds write vulnerability in the M421 G-code handler that allows attackers to corrupt firmware memory by supplying out-of-range X and Y grid indices. Attackers can send a single crafted G-code command via USB serial, network interface, or malicious gcode file to write an attacker-controlled 32-bit float value past the z_values array bounds, corrupting adjacent firmware variables and causing denial of service or firmware state corruption.
Title Marlin Firmware 2.1.2.7 Out-of-Bounds Write via M421 G-code Handler
Weaknesses CWE-129
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Marlinfirmware Marlin
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T15:52:56.140Z

Reserved: 2026-06-18T19:15:10.650Z

Link: CVE-2026-56111

cve-icon Vulnrichment

Updated: 2026-06-24T15:52:52.058Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:44Z

Weaknesses
  • CWE-129

    Improper Validation of Array Index