PatchSiren cyber security CVE debrief
CVE-2026-38719 EIPStackGroup CVE debrief
A medium-severity out-of-bounds read vulnerability exists in OpENer v2.3-558-g1e99582, an open-source EtherNet/IP stack implementation. The flaw resides in the Common Packet Format (CPF) parser within `CreateCommonPacketFormatStructure()` in `source/src/enet_encap/cpf.c`. An attacker can craft a malicious ENIP/CPF message with a manipulated `item_count` value that is not consistently validated against the remaining `data_length` of the CPF slice, leading to an out-of-bounds read condition. This vulnerability was published to the CVE database on May 18, 2026, with subsequent modification the same day. The CVSS 3.1 vector indicates local attack vector, low attack complexity, no privileges required, no user interaction, and high availability impact (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), resulting in a score of 6.2. The weakness is classified as CWE-125 (Out-of-bounds Read). The vulnerability status is currently marked as 'Deferred' in the NVD. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- EIPStackGroup
- Product
- OpENer
- CVSS
- MEDIUM 6.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-18
Who should care
Organizations operating industrial control systems, manufacturing environments, or embedded devices utilizing the OpENer EtherNet/IP stack; OT security teams responsible for network protocol security; developers maintaining EtherNet/IP implementations; asset owners with EtherNet/IP-enabled devices in critical infrastructure sectors.
Technical summary
The vulnerability stems from inconsistent validation in the CPF parser where an attacker-controlled `item_count` field is not properly checked against the actual remaining `data_length` of the CPF data slice. This allows crafted ENIP/CPF messages to trigger out-of-bounds memory reads during packet processing. The affected function `CreateCommonPacketFormatStructure()` in `cpf.c` fails to enforce the relationship between the number of items claimed and the buffer space available, creating a memory safety violation that can result in denial of service conditions due to the high availability impact in the CVSS scoring.
Defensive priority
medium
Recommended defensive actions
- Review OpENer source code in `source/src/enet_encap/cpf.c`, specifically the `CreateCommonPacketFormatStructure()` function, to identify insufficient validation between `item_count` and `data_length` fields
- Implement or verify bounds checking that ensures `item_count` values cannot exceed the available data length in CPF message parsing
- Apply patches from the OpENer project when available, monitoring the referenced GitHub issue for remediation status
- Consider network segmentation for EtherNet/IP devices to limit exposure of OpENer-based implementations
- Monitor CPF message inputs for anomalous `item_count` values that may indicate exploitation attempts
Evidence notes
Vulnerability description and technical details sourced from official CVE record and NVD entry. CVSS vector and score confirmed from NVD metadata. CWE-125 classification sourced from NVD weakness data. Vendor information marked as unknown/needs review per source data. OpENer repository and issue references provided as source links.
Official resources
2026-05-18T17:16:32.127Z