Memory Corruption Vulnerability in Arduino Core for ESP32 Microcontrollers
CVE-2026-41429

8.8HIGH

Key Information:

Vendor: Espressif
Status: Arduino-esp32
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41429?

The arduino-esp32 core, designed for various ESP32 microcontroller models, contains a memory corruption vulnerability due to mishandling of NBNS (NetBIOS Name Service) packets. When the NBNS service is activated, it listens on UDP port 137, making it susceptible to untrusted requests from local network sources. The vulnerability arises from the request parser not adequately validating the attacker-controlled name_len field, leading to potential exploitation through crafted NBNS requests. This issue has been addressed in version 3.3.8, emphasizing the importance of updating to mitigate security risks.

Affected Version(s)

arduino-esp32 < 3.3.8

References

https://github.com/espressif/arduino-esp32/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41429 Data

JSON

Espressif

What is CVE-2026-41429?

Affected Version(s)

References

CVSS V3.1

Timeline