Cyber Resilience

CVE-2026-41429

HighPublic PoC

Published: 24 April 2026

Published
24 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41429 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Espressif Arduino-Esp32. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41429 is a remotely reachable memory corruption vulnerability, stemming from a stack-based buffer overflow (CWE-121), in the arduino-esp32 core for ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6, and ESP32-H2 microcontrollers. The issue affects versions prior to 3.3.8 and arises in the NBNS packet handling path when NetBIOS is enabled via NBNS.begin(). In this configuration, the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without bounds checking against the fixed-size destination buffers used downstream, enabling overflow.

An attacker on the adjacent network (AV:A) with no privileges (PR:N) can exploit this low-complexity (AC:L) vulnerability without user interaction (UI:N). Successful exploitation leads to high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8, potentially allowing arbitrary code execution or device crashes via crafted NBNS packets.

The vulnerability is fixed in arduino-esp32 version 3.3.8, as detailed in the GitHub Security Advisory GHSA-92j9-c75g-2c5f published by Espressif. Security practitioners should update affected devices to this version and review configurations to disable NBNS if not required.

EU & UK References

Vulnerability details

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS packet handling path. When NetBIOS is enabled by calling NBNS.begin(...), the…

more

device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name_len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow. This vulnerability is fixed in 3.3.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Stack-based buffer overflow in remotely reachable NBNS service (UDP 137) directly enables exploitation of remote services for RCE or DoS on adjacent network.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42854Same product: Espressif Arduino-Esp32
CVE-2023-46272Shared CWE-121
CVE-2026-37536Shared CWE-121
CVE-2026-22790Shared CWE-121
CVE-2025-25679Shared CWE-121
CVE-2025-66177Shared CWE-121
CVE-2026-30872Shared CWE-121
CVE-2026-41089Shared CWE-121
CVE-2026-42855Same product: Espressif Arduino-Esp32
CVE-2025-30472Shared CWE-121

Affected Assets

espressif
arduino-esp32
≤ 3.3.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and timely patching of the specific buffer overflow flaw in arduino-esp32 NBNS handling, as fixed in version 3.3.8.

prevent

Mandates validation of untrusted NBNS packet inputs, including bounds checking the attacker-controlled name_len field against fixed-size destination buffers.

prevent

Prohibits or restricts unnecessary functions like NBNS on UDP port 137, eliminating the vulnerable packet processing path when NetBIOS is not required.

References