CVE-2026-13590
Received Received - Intake

Heap-based Buffer Overflow in PcapPlusPlus Modbus Protocol Handler

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A security flaw has been discovered in seladb PcapPlusPlus 25.05. This impacts the function pcpp::ModbusLayer::getLength in the library Packet++/header/ModbusLayer.h of the component Modbus Protocol Handler. The manipulation of the argument length results in heap-based buffer overflow. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been released to the public and may be used for attacks. The patch is identified as 4c90c3e3418a2b09dc82b7ca5775e9c1e22fe454. Applying a patch is advised to resolve this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13590
EUVD
EUVD-2026-40152

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
seladb pcapplusplus 25.05

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-13590 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a heap-based buffer overflow in the Modbus protocol parsing module of the PcapPlusPlus library, specifically in the function pcpp::ModbusLayer::getLength. It occurs when the software processes truncated or malformed Modbus packets that have insufficient payload length. The function accesses Modbus header fields without properly validating the length of the packet data, which can cause it to read beyond the allocated memory buffer.

The issue arises because the Modbus TCP header requires at least 6 bytes to safely read the length field, but the implementation does not check if the packet data length meets this requirement before accessing these fields. As a result, feeding a truncated packet shorter than 6 bytes can lead to out-of-bounds memory access, causing a heap-buffer-overflow.

The vulnerability can be triggered remotely by sending specially crafted Modbus packets to the affected system. The exploit has been publicly released, and a patch has been made available to fix the issue by adding proper validation checks before parsing the packet.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a heap-based buffer overflow remotely, which can lead to a program crash or denial of service when the vulnerable software processes malformed Modbus packets.

Because the exploitability is considered difficult and requires high complexity, the immediate risk might be limited, but the availability of a public exploit increases the threat potential.

If exploited, it could disrupt services relying on the PcapPlusPlus library's Modbus protocol handler, potentially causing system instability or downtime.

Detection Guidance

This vulnerability can be detected by monitoring for malformed or truncated Modbus TCP packets, especially those sent to port 502 with fewer than 8 payload bytes, which trigger the heap-buffer-overflow in the ModbusLayer component.

Using fuzzing tools such as AddressSanitizer can help reproduce and detect the vulnerability by identifying heap-buffer-overflow reads when processing specially crafted short packets.

Network detection commands could include filtering or capturing Modbus TCP traffic on port 502 and inspecting packet lengths. For example, using tcpdump or tshark:

  • tcpdump -i <interface> tcp port 502 and less than 8 bytes of payload (e.g., tcpdump -i eth0 'tcp port 502 and tcp[32:1] < 8')
  • tshark -i <interface> -Y 'tcp.port == 502 && frame.len < <threshold>' to capture short Modbus packets

Additionally, running the provided proof-of-concept exploit with fuzzing tools can help confirm if the system or application is vulnerable.

Mitigation Strategies

The primary mitigation step is to apply the official patch identified by commit 4c90c3e3418a2b09dc82b7ca5775e9c1e22fe454, which fixes the heap-buffer-overflow by validating the payload length before parsing Modbus packets.

Until the patch is applied, it is advisable to block or filter malformed or truncated Modbus TCP packets on port 502 at the network perimeter to prevent exploitation.

Implementing input validation and ensuring that the ModbusLayer only processes packets with sufficient payload length can prevent the vulnerability from being triggered.

Monitoring for unusual crashes or denial-of-service symptoms in applications using PcapPlusPlus may also help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13590. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart