In OpENer 2.3.0 (commit 76b95cf) when parsing incoming CIP (Common Industrial Protocol) network packets, the length parameter is inconsistently typed across the call stack. Specifically, an upstream length calculated as an int is passed to a downstream function that expects an EipInt16 (a 16-bit signed integer). If a maliciously crafted packet with specific length fields is processed, the length parameter can overflow or be truncated into a negative value. This negative length bypasses subsequent bounds checking (due to signed/unsigned comparison issues) and is ultimately used in memory operations, leading to a Stack Buffer Overflow when reading data in DecodePaddedEPath.
Metrics
Affected Vendors & Products
References
History
Fri, 17 Jul 2026 08:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Stack Buffer Overflow in OpENer 2.3.0 CIP Protocol Allows Remote Code Execution |
Thu, 16 Jul 2026 16:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Stack Buffer Overflow in OpENer 2.3.0 due to Signed/Unsigned Length Misuse in CIP Packet Parsing | |
| Weaknesses | CWE-129 CWE-194 |
Tue, 14 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Stack Buffer Overflow in OpENer 2.3.0 due to Signed/Unsigned Length Misuse in CIP Packet Parsing | |
| Weaknesses | CWE-129 CWE-194 |
Tue, 14 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-190 | |
| Metrics |
cvssV3_1
|
Mon, 13 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Eipstackgroup
Eipstackgroup opener |
|
| Vendors & Products |
Eipstackgroup
Eipstackgroup opener |
Mon, 13 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In OpENer 2.3.0 (commit 76b95cf) when parsing incoming CIP (Common Industrial Protocol) network packets, the length parameter is inconsistently typed across the call stack. Specifically, an upstream length calculated as an int is passed to a downstream function that expects an EipInt16 (a 16-bit signed integer). If a maliciously crafted packet with specific length fields is processed, the length parameter can overflow or be truncated into a negative value. This negative length bypasses subsequent bounds checking (due to signed/unsigned comparison issues) and is ultimately used in memory operations, leading to a Stack Buffer Overflow when reading data in DecodePaddedEPath. | |
| References |
|
Status: PUBLISHED
Assigner: mitre
Published: 2026-07-13T00:00:00.000Z
Updated: 2026-07-14T13:39:38.351Z
Reserved: 2026-06-08T00:00:00.000Z
Link: CVE-2026-51536
Updated: 2026-07-14T13:39:18.970Z
No data.
No data.