Medium severity6.3NVD Advisory· Published Jun 3, 2026

CVE-2026-10703

Description

A use-after-return vulnerability in EIPStackGroup OpENer's SendRRData handler allows remote attackers to crash the service by sending a crafted EtherNet/IP packet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-return vulnerability in EIPStackGroup OpENer's SendRRData handler allows remote attackers to crash the service by sending a crafted EtherNet/IP packet.

Vulnerability

A use-after-return vulnerability exists in the CreateMessageRouterRequestStructure function within cipmessagerouter.c in EIPStackGroup OpENer up to version 2.3.0. This issue arises from incorrect lifetime management of the CIP payload pointer across various layers, leading to the payload being dereferenced after its memory has been deallocated. The vulnerability is present in the current master branch and was disclosed publicly.

Exploitation

An attacker can exploit this vulnerability remotely by sending a specially crafted EtherNet/IP explicit-message packet. This packet manipulates the pointer lifetime of the CIP payload, causing it to be consumed by the message router after the payload's associated stack-backed buffer has been deallocated, triggering the use-after-return condition.

Impact

Successful exploitation of this vulnerability results in a crash of the OpENer service due to the use-after-return error, specifically a stack-use-after-return detected by AddressSanitizer. This denial-of-service condition prevents the normal operation of the EtherNet/IP stack.

Mitigation

EIPStackGroup has been informed of the vulnerability via an issue report [1], but as of the current master branch, no fix has been released. Users are advised to monitor the project's GitHub repository [2] for updates. There are no other mitigation or workaround details available in the provided references.

References

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

EIPStackGroup/Openerllm-fuzzy
Range: <=2.3.0

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The vulnerability stems from incorrect lifetime management of a CIP payload pointer across different parsing layers, leading to a use-after-return condition."

Attack vector

A remote attacker can send a crafted EtherNet/IP explicit-message packet. This packet is processed by the SendRRData Handler, specifically within the `HandleDataOnTcpSocket` function. The crafted packet causes the CIP payload, initially received into a stack-backed buffer, to be held as a raw pointer. This pointer is later dereferenced after the original buffer's scope has ended, triggering the vulnerability [ref_id=1].

Affected code

The vulnerability resides in the `CreateMessageRouterRequestStructure` function within the file `cipmessagerouter.c` [ref_id=1]. The issue is triggered during the handling of TCP SendRRData commands, specifically when processing the CIP payload pointer across layers including `HandleDataOnTcpSocket`, `HandleReceivedExplictTcpData`, `HandleReceivedSendRequestResponseDataCommand`, and `NotifyCommonPacketFormat` [ref_id=1].

What the fix does

The advisory does not specify a patch or provide remediation guidance. Therefore, the exact fix is not detailed. However, the root cause analysis indicates that the issue could be resolved by ensuring the CIP payload is copied rather than held as a raw pointer across parsing layers, preventing the use-after-return.

Preconditions

authThe attacker needs low privileges to send the crafted message.
networkThe vulnerability is remotely exploitable over the network.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.410
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000