The vulnerability in nanoMODBUS (<=1.23.0) arises from an off-by-one buffer overflow in the recv_msg_header() function of its Modbus/TCP server implementation. An attacker can send a malicious MBAP frame with the Length field set to 255, causing a single byte to be written beyond the 260-byte receive buffer. This corrupts the adjacent buffer-index field in the nanoMODBUS state structure. The corruption results in denial of service through invalid memory accesses. Additionally, on bare-metal and RTOS systems lacking memory protection, this overflow can cause one-byte information disclosure and unintended register writes on the Write Multiple Registers (FC16) handler path. The vulnerability has a CVSS 4.0 base score of 7.8, indicating high severity. No official patch or remediation is currently documented, and no known exploits are reported in the wild.

Remote unauthenticated attackers can exploit this off-by-one overflow to cause denial of service by corrupting internal state and triggering invalid memory accesses. On systems without memory protection (bare-metal or RTOS), the vulnerability also allows limited information disclosure and unauthorized writes to Modbus registers, potentially impacting device operation or data integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider mitigating exposure by restricting network access to the Modbus/TCP server and monitoring for anomalous MBAP frames with suspicious Length fields. Avoid deploying nanoMODBUS on unprotected bare-metal or RTOS targets without memory protection where possible.