CVE-2026-11826
Received Received - Intake

Heap Overflow in OpenPLC Web Interface

Vulnerability report for CVE-2026-11826, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulnCheck

Description

OpenPLC_v3 contains a heap-based buffer overflow in the getData() function in webserver/core/modbus_master.cpp. getData() reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. In parseConfig() the function is invoked with the 100-byte heap-allocated MB_device.dev_name field. An authenticated attacker with access to the OpenPLC web interface can send a crafted HTTP POST to the /modbus endpoint with an oversized device_name value; the value is persisted to mbconfig.cfg and parsed on load, overflowing dev_name and overwriting adjacent struct fields (protocol at offset 108, dev_address at offset 109, ip_port at offset 210). A 200-byte payload writes 100 bytes past the allocation. The result is heap corruption leading to runtime crash and denial of service of the PLC process control loop, with attacker-controlled overwrite of adjacent configuration fields. The upstream repository was archived on 2026-04-04 and no fix is expected; the vendor has confirmed the issue does not affect OpenPLC Runtime v4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openplc openplc to 4.0.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11826 is a heap-based buffer overflow in OpenPLC_v3's getData() function in webserver/core/modbus_master.cpp. The function reads characters between delimiters into a caller-supplied buffer without size validation or bounds checking. When called from parseConfig(), it writes into a 100-byte heap buffer (MB_device.dev_name). An authenticated attacker can send a crafted HTTP POST to /modbus with an oversized device_name value, causing a 100-byte overflow into adjacent struct fields like protocol, dev_address, and ip_port. This leads to heap corruption, runtime crashes, and denial of service of the PLC process control loop.

Detection Guidance

To detect this vulnerability, monitor HTTP POST requests to the /modbus endpoint with device_name values exceeding 99 characters. Check for heap corruption errors in OpenPLC logs or crashes in the PLC process control loop. Use network traffic analysis tools like Wireshark to inspect payload sizes.

Impact Analysis

This vulnerability allows an authenticated attacker with access to the OpenPLC web interface to cause a denial of service by crashing the PLC process control loop. The attacker can also overwrite adjacent configuration fields, potentially altering device behavior or disrupting industrial control systems. The impact includes runtime crashes and possible disruption of physical process control in ICS/SCADA environments.

Compliance Impact

This vulnerability primarily impacts industrial control systems (ICS) and SCADA environments by enabling denial of service and potential manipulation of PLC configurations. While not directly tied to GDPR or HIPAA, it could indirectly affect compliance by disrupting systems handling sensitive data. For example, a PLC crash in a healthcare setting could impact HIPAA-regulated systems, and in industrial environments, it might violate GDPR if personal data processing is disrupted.

Mitigation Strategies

Immediately restrict access to the OpenPLC web interface to trusted users only. Update to OpenPLC Runtime v4 if possible, as it is unaffected. If using OpenPLC_v3, implement server-side input validation to truncate device_name to 99 characters and add bounds checking in getData().

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11826. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart