OpenPLC_v3 Heap-Based Buffer Overflow (CVE-2026-11826)
An authenticated attacker can exploit CVE-2026-11826, a heap-based buffer overflow in OpenPLC_v3's web interface, by sending a crafted HTTP POST request to the /modbus endpoint with an oversized device_name value, causing heap corruption, a runtime crash, and denial of service of the PLC process control loop, with no expected patch.
CVE-2026-11826 details a critical heap-based buffer overflow vulnerability affecting OpenPLC_v3, specifically within the getData() function located in webserver/core/modbus_master.cpp. This function is responsible for reading characters between delimiters but lacks bounds checking, making it susceptible to overflow when invoked with an oversized input. An authenticated attacker can exploit this by sending a specially crafted HTTP POST request to the /modbus endpoint through the OpenPLC web interface. The vulnerability occurs when an unusually long device_name value (exceeding the allocated 100-byte buffer for MB_device.dev_name) is persisted to mbconfig.cfg and subsequently parsed. This leads to heap corruption, overwriting adjacent configuration fields such as protocol, dev_address, and ip_port, ultimately causing a runtime crash and denial of service for the PLC process control loop. As the upstream repository for OpenPLC_v3 was archived on April 4, 2026, no official fix is anticipated, though OpenPLC Runtime v4 is confirmed to be unaffected.
Attack Chain
- An authenticated attacker gains access to the OpenPLC_v3 web interface, typically through legitimate credentials or compromised accounts.
- The attacker crafts a malicious HTTP POST request targeting the
/modbusendpoint of the OpenPLC web server. - The crafted request includes an
device_nameparameter with a value significantly larger than 100 bytes, which exceeds the buffer size. - The OpenPLC web server receives the request, and its
parseConfig()function processes the configuration data, including the oversizeddevice_name. - During configuration parsing, the
getData()function is called to read thedevice_nameinto a 100-byte heap-allocated buffer (MB_device.dev_name). - Due to the lack of bounds checking in
getData(), the oversizeddevice_namevalue overflows the buffer, causing heap corruption. - The heap corruption overwrites adjacent critical struct fields, including
protocol(at offset 108),dev_address(at offset 109), andip_port(at offset 210). - The integrity of the OpenPLC process is compromised, leading to a runtime crash and denial of service, effectively halting the PLC's process control loop.
Impact
Successful exploitation of CVE-2026-11826 results in a critical denial of service (DoS) for affected OpenPLC_v3 systems. The heap corruption directly causes a runtime crash of the PLC process, leading to an immediate cessation of its control functions. This can have severe consequences in industrial control system (ICS) environments, potentially disrupting critical operations, causing production outages, or leading to unsafe conditions depending on the PLC's role. Additionally, the attacker-controlled overwrite of adjacent configuration fields introduces the risk of further system compromise or manipulation, although direct remote code execution is not explicitly detailed. As OpenPLC_v3 is no longer maintained, affected organizations face ongoing risk without a vendor-provided patch.
Recommendation
- If possible, upgrade from OpenPLC_v3 to OpenPLC Runtime v4 to remediate CVE-2026-11826, as the vulnerability does not affect the newer version.
- Deploy the provided Sigma rule to your SIEM to detect exploitation attempts of CVE-2026-11826 via suspicious HTTP POST requests to the
/modbusendpoint. - Ensure web server logs capture full HTTP request details, including
cs-method,cs-uri-stem, andcs-uri-query, to activate the detection rule. - Implement strong authentication policies and regularly audit accounts with access to the OpenPLC web interface (referencing the "authenticated attacker" detail in the Overview).
Detection coverage 1
Detects CVE-2026-11826 Exploitation - OpenPLC_v3 Heap Buffer Overflow
highDetects exploitation attempts for CVE-2026-11826, a heap-based buffer overflow in OpenPLC_v3, by identifying HTTP POST requests to /modbus with an unusually long 'device_name' parameter in the query string, indicative of an oversized payload.
Detection queries are available on the platform. Get full rules →