CVE-2026-38719

Vulnerability

The vulnerability resides in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c of OpENer v2.3-558-g1e99582 (commit 1e99582). The Common Packet Format (CPF) parser reads an attacker-controlled item_count value from the incoming ENIP message without consistently validating subsequent reads against the remaining data_length of the CPF slice. This allows an out-of-bounds read when item_count is larger than the available data. [1][2]

Exploitation

An attacker with network access can send a crafted ENIP/CPF message containing a CPF slice with a manipulated item_count (e.g., 0xe801). The parser trusts this value and continues reading structured fields beyond the slice boundary, leading to an out-of-bounds read. No authentication or user interaction is required; the vulnerability is triggered during normal message processing. [2]

Impact

Successful exploitation results in an out-of-bounds read, potentially disclosing heap memory contents. This could leak sensitive information from the device's memory. The CVSS score is 6.2 (medium), indicating a moderate confidentiality impact. No code execution is reported. [2]

Mitigation

As of the publication date (2026-05-18), no official fix has been released. The issue is tracked in GitHub issue #558 [2]. Users should monitor the OpENer repository for a patched version. A workaround is to restrict network access to the device to trusted hosts only. [1][2]