Arduino-ESP32 memory corruption (CVE-2026-41429)

Vendor-confirmed - CVE-2026-41429 is a high-severity memory corruption vulnerability in arduino-esp32 prior to 3.3.8 that lets an attacker on the local network potentially crash the device or execute arbitrary code. Patched in version 3.3.8 - update all affected firmware immediately.

Overview

CVE-2026-41429 is a memory corruption flaw in the NetBIOS Name Service (NBNS) packet handler of the arduino-esp32 core. This core is used to program popular ESP32-series microcontrollers (ESP32, ESP32-S2/S3, C3, C6, and H2) that power millions of IoT devices worldwide.

When a developer enables NBNS by calling NBNS.begin(...), the device starts listening on UDP port 137 and processes incoming NBNS requests from the local network. The vulnerability exists because the parser trusts an attacker-controlled name_len field without validating that it fits within the fixed-size destination buffer used later in the code path. This allows an attacker to send a specially crafted NBNS packet that overruns the buffer, corrupting adjacent memory.

Impact

A successful exploitation could cause a denial of service by crashing the ESP32 device. More critically, memory corruption vulnerabilities of this type can potentially be weaponized for remote code execution, allowing an attacker to take full control of the device. Because no authentication is required and user interaction is absent, an attacker on the same network can trigger this flaw remotely.

At a CVSS score of 8.8 (HIGH), this vulnerability is considered a serious risk for any IoT product using an affected version of arduino-esp32 with NBNS enabled.

Affected Versions

All versions of arduino-esp32 prior to 3.3.8 are vulnerable.

Remediation

• Update firmware: Upgrade to arduino-esp32 version 3.3.8 or later, which contains the fix for the NBNS handler.
• Disable NBNS: If updating is not immediately possible, disable NetBIOS by removing any NBNS.begin(...) calls from your firmware. This eliminates the attack surface.
• Segment IoT devices: Place ESP32-based devices on a separate VLAN or isolated network segment to limit exposure to potential attackers on the local network.

Related Reading

• iOS Bug Let FBI Recover Deleted Signal Messages
• LangChain, LangGraph Flaws Expose Files, Secrets,
• Apple Fixes WebKit Vulnerability Enabling Same-Origin

Security Insight

Memory corruption vulnerabilities in embedded network stacks continue to be a persistent threat, particularly in IoT devices that may not receive timely updates. The arduino-esp32 NBNS handler flaw follows a pattern seen in other embedded systems where developer convenience features (like NBNS) introduce attack surface without commensurate input validation. This incident underscores the importance of rigorous code review for network-facing code paths in microcontroller firmware, especially given the difficulty of patching deployed IoT devices in the field.

Further Reading

• iOS Bug Let FBI Recover Deleted Signal Messages
• LangChain, LangGraph Flaws Expose Files, Secrets,
• Apple Fixes WebKit Vulnerability Enabling Same-Origin
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs