CVE-2026-13592
Deferred Deferred - Pending Action

BufWriter::append Out-of-Bounds Write in Liftoff-SR CIPster

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4. Affected by this issue is the function BufWriter::append of the component EtherNet IP Message Handler. Performing a manipulation results in out-of-bounds write. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3a0159ed43125dcd024a1965f0289cb186bae9ff. To fix this issue, it is recommended to deploy a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13592
EUVD
EUVD-2026-40156

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
liftoff-sr cipster to e8e9dba09bf56962807d3504b783ccdb6287f3e4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-13592 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The vulnerability in CIPster involves a memory corruption issue in the BufWriter::append function of the EtherNet IP Message Handler component. It arises from a shared ByteBuf metadata corruption caused by exposing the ByteBuf object header through two incompatible attributes: a readable/writable kCipByteArray and a readable/writable kCipUdint.

An attacker can exploit this by using the SetAttributeSingle operation on the kCipUdint attribute to overwrite the low 32 bits of the ByteBuf.start pointer, extending the logical size of the buffer beyond its actual limit. This corrupted metadata then allows out-of-bounds (OOB) read or write operations when accessing the kCipByteArray attribute, potentially leading to memory corruption.

The root cause is that CIPster's generic attribute handlers trust only the CipDataType and raw storage address without validating the object layout, combined with the ByteBuf metadata structure that calculates size from limit - start. This flaw enables remote unauthenticated attackers to perform OOB memory access, including OOB writes, which can corrupt adjacent memory.

Impact Analysis

This vulnerability allows remote unauthenticated attackers to perform out-of-bounds read and write operations on the affected system's memory. The out-of-bounds write can corrupt adjacent global memory, potentially leading to arbitrary code execution, system crashes, or denial of service.

Because the exploit is remotely accessible and does not require authentication, it poses a significant security risk to devices using the vulnerable CIPster stack, especially in industrial or networked environments where EtherNet/IP is used.

Exploitation could lead to unauthorized control or disruption of industrial control systems or other critical infrastructure components that rely on CIPster, impacting availability and integrity.

Detection Guidance

This vulnerability involves remote exploitation through manipulation of EtherNet/IP attributes, specifically using the SetAttributeSingle operation to corrupt ByteBuf metadata. Detection would involve monitoring network traffic for suspicious or unauthorized SetAttributeSingle requests targeting the kCipUdint and kCipByteArray attributes in CIPster-based EtherNet/IP devices.

Since the vulnerability exploits specific attribute writes, detection could include inspecting EtherNet/IP packets for abnormal attribute modification attempts or unexpected buffer size changes.

However, no explicit detection commands or tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to deploy the patch identified by commit 3a0159ed43125dcd024a1965f0289cb186bae9ff, which replaces unsafe generic attribute inserters with compile-time-typed inserters to prevent type mismatches and memory corruption.

Until the patch can be applied, it is recommended to restrict or block remote access to the vulnerable CIPster EtherNet/IP service to prevent exploitation via remote SetAttributeSingle operations.

Additionally, monitoring and filtering network traffic for suspicious attribute modification requests can help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart