OpenPLC Runtime v3 Heap-Based Buffer Overflow Vulnerability in Modbus Master Component

Vulnerability

A heap-based buffer overflow vulnerability has been identified in OpenPLC Runtime v3, specifically in the Modbus Master component. The issue arises in the getData() function within webserver/core/modbus_master.cpp, where the function reads data into a user-supplied buffer without proper size validation or bounds checking. This vulnerability affects all versions of OpenPLC Runtime v3 up to the latest master commit (b470206). An authenticated attacker with access to the OpenPLC web interface can exploit this vulnerability by sending a crafted HTTP POST request to the /modbus endpoint, using an oversized device_name value. The overflow occurs as the value is saved to mbconfig.cfg and parsed upon loading, overwriting adjacent struct fields and causing heap corruption. This heap corruption leads to a runtime crash, disrupting the PLC process control loop and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes heap corruption, allowing for an overwrite of adjacent struct fields (protocol, dev_address, ip_port) with attacker-controlled data. This heap corruption results in a runtime crash, causing a denial-of-service condition that disrupts the PLC process control loop, which is critical for maintaining physical process control in industrial environments.

Reproduction

To reproduce this vulnerability, an authenticated user must send an HTTP POST request to the /modbus endpoint with a device_name value that exceeds 99 characters. This oversized value will overflow the 100-byte allocated buffer, corrupting the heap and overwriting adjacent struct fields.

Added: Jul 18, 2026, 2:24 PM
Updated: Jul 18, 2026, 2:24 PM

Vulnerability Rating

Custom Algorithm
spread
2.6
impact
3.1
exploitability
4.5
remediation
7.7
relevance
10.0
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.