{"uuid": "66df8721-bae8-4af4-9187-ede53bf21d27", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51540", "type": "seen", "source": "https://gist.github.com/MrAlaskan/5e0c2af7f4a1d188814c7fa8f812c8da", "content": "# Security Advisory: CVE-2026-51540\n\n## Vulnerability Information\n* **CVE ID:** CVE-2026-51540\n* **Vendor:** EIPStackGroup\n* **Product:** OpENer (Version 2.3.0, commit 76b95cf)\n* **Vulnerability Type:** CWE-191: Integer Underflow; CWE-125: Out-of-bounds Read\n* **Attack Type:** Remote, Unauthenticated\n* **Impact:** Denial of Service (DoS); Potential Code Execution\n\n## Description\nA memory corruption vulnerability exists in the handling of connected explicit messages in OpENer 2.3.0. A remotely crafted `SendUnitData` request may trigger an integer underflow during message length processing, causing invalid length handling and out-of-bounds memory access.\n\n## Affected Component\nThe vulnerability affects connected message parsing and EPATH decoding logic, including `source/src/enet_encap/cpf.c`, `source/src/cip/cipmessagerouter.c`, and `source/src/cip/cipcommon.c`, specifically the `NotifyConnectedCommonPacketFormat`, `CreateMessageRouterRequestStructure`, and `DecodePaddedEPath` functions.\n\n## Attack Vectors\nAn unauthenticated, remote attacker with network access to the target OpENer instance can exploit this vulnerability by connecting to the EtherNet/IP TCP port, typically TCP/44818, registering a session, and establishing a standard CIP connection.\n\nThe attacker can then send a crafted `SendUnitData` request containing malformed length and path fields. Due to insufficient validation of connected message length values, the crafted request may cause an integer underflow and allow invalid data to reach the EPATH decoding logic.\n\nSuccessful exploitation can crash the OpENer process, resulting in a Denial of Service condition. Depending on the runtime environment and memory layout, further impact may be possible.\n\n## References\n* Project: https://github.com/EIPStackGroup/OpENer\n* GitHub Issue: https://github.com/EIPStackGroup/OpENer/issues/568", "creation_timestamp": "2026-07-09T03:43:26.325062Z"}