CVE-2026-41429
Published: 24 April 2026
Summary
CVE-2026-41429 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Espressif Arduino-Esp32. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification, reporting, and timely patching of the specific buffer overflow flaw in arduino-esp32 NBNS handling, as fixed in version 3.3.8.
Mandates validation of untrusted NBNS packet inputs, including bounds checking the attacker-controlled name_len field against fixed-size destination buffers.
Prohibits or restricts unnecessary functions like NBNS on UDP port 137, eliminating the vulnerable packet processing path when NetBIOS is not required.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in remotely reachable NBNS service (UDP 137) directly enables exploitation of remote services for RCE or DoS on adjacent network.
NVD Description
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the…
more
device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.
Deeper analysisAI
CVE-2026-41429 is a remotely reachable memory corruption vulnerability, stemming from a stack-based buffer overflow (CWE-121), in the arduino-esp32 core for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers. The issue affects versions prior to 3.3.8 and arises in the NBNS packet handling path when NetBIOS is enabled via NBNS.begin(). In this configuration, the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without bounds checking against the fixed-size destination buffers used downstream, enabling overflow.
An attacker on the adjacent network (AV:A) with no privileges (PR:N) can exploit this low-complexity (AC:L) vulnerability without user interaction (UI:N). Successful exploitation leads to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8, potentially allowing arbitrary code execution or device crashes via crafted NBNS packets.
The vulnerability is fixed in arduino-esp32 version 3.3.8, as detailed in the GitHub Security Advisory GHSA-92j9-c75g-2c5f published by Espressif. Security practitioners should update affected devices to this version and review configurations to disable NBNS if not required.
Details
- CWE(s)