{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openplc_v3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-11826"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenPLC_v3"],"_cs_severities":["critical"],"_cs_tags":["ics","ot","buffer-overflow","denial-of-service","cve","industrial-control-systems"],"_cs_type":"advisory","_cs_vendors":["OpenPLC"],"content_html":"\u003cp\u003eCVE-2026-11826 details a critical heap-based buffer overflow vulnerability affecting OpenPLC_v3, specifically within the \u003ccode\u003egetData()\u003c/code\u003e function located in \u003ccode\u003ewebserver/core/modbus_master.cpp\u003c/code\u003e. This function is responsible for reading characters between delimiters but lacks bounds checking, making it susceptible to overflow when invoked with an oversized input. An authenticated attacker can exploit this by sending a specially crafted HTTP POST request to the \u003ccode\u003e/modbus\u003c/code\u003e endpoint through the OpenPLC web interface. The vulnerability occurs when an unusually long \u003ccode\u003edevice_name\u003c/code\u003e value (exceeding the allocated 100-byte buffer for \u003ccode\u003eMB_device.dev_name\u003c/code\u003e) is persisted to \u003ccode\u003embconfig.cfg\u003c/code\u003e and subsequently parsed. This leads to heap corruption, overwriting adjacent configuration fields such as \u003ccode\u003eprotocol\u003c/code\u003e, \u003ccode\u003edev_address\u003c/code\u003e, and \u003ccode\u003eip_port\u003c/code\u003e, ultimately causing a runtime crash and denial of service for the PLC process control loop. As the upstream repository for OpenPLC_v3 was archived on April 4, 2026, no official fix is anticipated, though OpenPLC Runtime v4 is confirmed to be unaffected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker gains access to the OpenPLC_v3 web interface, typically through legitimate credentials or compromised accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/modbus\u003c/code\u003e endpoint of the OpenPLC web server.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an \u003ccode\u003edevice_name\u003c/code\u003e parameter with a value significantly larger than 100 bytes, which exceeds the buffer size.\u003c/li\u003e\n\u003cli\u003eThe OpenPLC web server receives the request, and its \u003ccode\u003eparseConfig()\u003c/code\u003e function processes the configuration data, including the oversized \u003ccode\u003edevice_name\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring configuration parsing, the \u003ccode\u003egetData()\u003c/code\u003e function is called to read the \u003ccode\u003edevice_name\u003c/code\u003e into a 100-byte heap-allocated buffer (\u003ccode\u003eMB_device.dev_name\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDue to the lack of bounds checking in \u003ccode\u003egetData()\u003c/code\u003e, the oversized \u003ccode\u003edevice_name\u003c/code\u003e value overflows the buffer, causing heap corruption.\u003c/li\u003e\n\u003cli\u003eThe heap corruption overwrites adjacent critical struct fields, including \u003ccode\u003eprotocol\u003c/code\u003e (at offset 108), \u003ccode\u003edev_address\u003c/code\u003e (at offset 109), and \u003ccode\u003eip_port\u003c/code\u003e (at offset 210).\u003c/li\u003e\n\u003cli\u003eThe integrity of the OpenPLC process is compromised, leading to a runtime crash and denial of service, effectively halting the PLC's process control loop.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-11826 results in a critical denial of service (DoS) for affected OpenPLC_v3 systems. The heap corruption directly causes a runtime crash of the PLC process, leading to an immediate cessation of its control functions. This can have severe consequences in industrial control system (ICS) environments, potentially disrupting critical operations, causing production outages, or leading to unsafe conditions depending on the PLC's role. Additionally, the attacker-controlled overwrite of adjacent configuration fields introduces the risk of further system compromise or manipulation, although direct remote code execution is not explicitly detailed. As OpenPLC_v3 is no longer maintained, affected organizations face ongoing risk without a vendor-provided patch.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIf possible, upgrade from OpenPLC_v3 to OpenPLC Runtime v4 to remediate CVE-2026-11826, as the vulnerability does not affect the newer version.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect exploitation attempts of CVE-2026-11826 via suspicious HTTP POST requests to the \u003ccode\u003e/modbus\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnsure web server logs capture full HTTP request details, including \u003ccode\u003ecs-method\u003c/code\u003e, \u003ccode\u003ecs-uri-stem\u003c/code\u003e, and \u003ccode\u003ecs-uri-query\u003c/code\u003e, to activate the detection rule.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication policies and regularly audit accounts with access to the OpenPLC web interface (referencing the \u0026quot;authenticated attacker\u0026quot; detail in the Overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T14:22:30Z","date_published":"2026-07-18T14:22:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openplc-v3-cve-2026-11826/","summary":"An authenticated attacker can exploit CVE-2026-11826, a heap-based buffer overflow in OpenPLC_v3's web interface, by sending a crafted HTTP POST request to the /modbus endpoint with an oversized device_name value, causing heap corruption, a runtime crash, and denial of service of the PLC process control loop, with no expected patch.","title":"OpenPLC_v3 Heap-Based Buffer Overflow (CVE-2026-11826)","url":"https://feed.craftedsignal.io/briefs/2026-07-openplc-v3-cve-2026-11826/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenPLC_v3","version":"https://jsonfeed.org/version/1.1"}