Executive Summary

CVE-2026-56111 is an out-of-bounds write vulnerability in Marlin Firmware versions up to 2.1.2.7 when built with MESH_BED_LEVELING enabled. The vulnerability exists in the M421 G-code handler, which is responsible for mesh bed leveling. It fails to properly validate the upper bounds of the X and Y grid indices, allowing attackers to supply out-of-range indices.

By sending a single crafted M421 G-code command via USB serial, network interface, or a malicious gcode file, an attacker can write an attacker-controlled 32-bit float value beyond the bounds of the z_values array. This out-of-bounds write corrupts adjacent firmware memory, potentially causing denial of service or firmware state corruption.

The issue was fixed in commit 1f255d1 by adding strict upper bound checks on the indices, ensuring they fall within valid ranges defined by GRID_MAX_POINTS_X and GRID_MAX_POINTS_Y.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to corrupt the firmware memory of a device running the affected Marlin Firmware. Specifically, by exploiting the out-of-bounds write, an attacker can cause denial of service or corrupt the firmware's internal state.

Such corruption can lead to unpredictable device behavior, crashes, or failure to operate correctly, which may disrupt 3D printing operations or other functions relying on the firmware.

The attack can be executed remotely via USB serial, network interface, or by providing a malicious gcode file, making it a practical risk if the device interfaces are exposed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for the presence of crafted M421 G-code commands that contain out-of-range X and Y grid indices sent via USB serial, network interface, or malicious gcode files.

Specifically, detection involves checking if any M421 commands have indices outside the valid range of 0 to GRID_MAX_POINTS_X - 1 for X and 0 to GRID_MAX_POINTS_Y - 1 for Y, which in default configurations is typically 0 to 2.

You can inspect logs or intercept G-code commands sent to the firmware and look for M421 commands with invalid indices.

Example commands to detect suspicious M421 usage might include:

• Using a serial monitor or network sniffer, filter for M421 commands and check their parameters.
• Example grep command on logs: grep '^M421' <logfile> | awk '{if ($2 < 0 || $2 > 2 || $3 < 0 || $3 > 2) print $0}'
• Use firmware debugging or verbose logging modes to capture and analyze incoming G-code commands.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Marlin firmware to a version that includes the fix from commit 1f255d1 or later.

This fix enforces proper bounds checking on the M421 G-code handler, ensuring that X and Y indices are within valid ranges and preventing out-of-bounds writes.

Until the firmware is updated, restrict or monitor access to interfaces that accept G-code commands (USB serial, network, or file uploads) to prevent attackers from sending crafted M421 commands.

Additionally, consider disabling MESH_BED_LEVELING if it is not required, as the vulnerability only exists when this feature is enabled.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0