{"uuid": "7ad64094-7c1a-4903-9d0d-bca940abd4dd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-51541", "type": "seen", "source": "https://gist.github.com/MrAlaskan/705c680856e48c535148265c0899ad4b", "content": "# Security Advisory: CVE-2026-51541\n\n## Vulnerability Information\n* **CVE ID:** CVE-2026-51541\n* **Vendor:** EIPStackGroup\n* **Product:** OpENer (Version 2.3.0)\n* **Vulnerability Type:** CWE-125: Out-of-bounds Read\n* **Attack Type:** Remote, Unauthenticated\n* **Impact:** Denial of Service (DoS)\n\n## Description\nAn out-of-bounds read vulnerability exists in the CIP explicit message parsing logic of OpENer 2.3.0. A remotely crafted malformed CIP request may cause the EPATH decoder to read beyond the valid receive buffer, leading to a Denial of Service condition.\n\n## Affected Component\nThe vulnerability affects the CIP explicit message parsing path, including `source/src/cip/cipcommon.c` and `source/src/cip/cipmessagerouter.c`, specifically the `DecodePaddedEPath` and `CreateMessageRouterRequestStructure` functions.\n\n## Attack Vectors\nAn unauthenticated, remote attacker with network access to the target OpENer instance can exploit this vulnerability by connecting to the EtherNet/IP TCP port, typically TCP/44818, and completing session registration.\n\nThe attacker can then send a crafted `SendRRData` request containing a malformed CIP explicit message with inconsistent path length information. Due to insufficient validation of the remaining input length during EPATH decoding, the parser may read beyond the valid receive buffer.\n\nSuccessful exploitation can crash the OpENer process and deny service to legitimate industrial communication clients.\n\n## References\n* GitHub Issue: https://github.com/EIPStackGroup/OpENer/issues/582", "creation_timestamp": "2026-07-09T03:44:40.481247Z"}