Burxonov Muslimbek

**Name of the Vulnerable Software and Affected Versions** nanoMODBUS versions prior to 1.23.1 **Description** An off-by-one buffer overflow exists in the `recv msg header()` function of the Modbus/TCP server. Remote unauthenticated attackers can write one controlled byte beyond the 260-byte receive buffer by sending a crafted MBAP frame with the `Length` field set to 255. This action corrupts the adjacent buffer-index field of the nanoMODBUS state structure, leading to denial of service via invalid memory accesses. On bare-metal and RTOS (Real-Time Operating System) targets lacking memory protection, this can result in one-byte information disclosure and writes to unintended register addresses within the Write Multiple Registers (FC16) handler path. **Recommendations** Update to a version later than 1.23.0. As a temporary mitigation, restrict access to the `recv msg header()` function or the Modbus/TCP server to trusted networks only.

**Name of the Vulnerable Software and Affected Versions** driftregion iso14229 versions 14229 through 0.9.0 **Description** An integer underflow and subsequent out-of-bounds read exist in the `Handle 0x27 SecurityAccess()` function within the `iso14229.c` file. A remote unauthenticated attacker can crash a UDS server and potentially read memory beyond the receive buffer by sending a single-byte 0x27 SecurityAccess request following a well-formed 0x27 message. The issue occurs because the handler reads the SecurityAccess subFunction from `recv buf[1]` without verifying that `recv len` is at least 2. Consequently, when `recv len` is 1, the calculation of key-data length via unsigned subtraction `(uint16 t)(recv len - UDS 0X27 REQ BASE LEN)` underflows to 65535. This value is then passed as `args.len` to the `SecAccessValidateKey` or `SecAccessRequestSeed` callbacks, which may iterate or copy that amount of data from the 4-KB receive buffer. This flaw affects deployments on automotive ECUs, industrial controllers, and IoT devices using the library as a UDS server across CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session. **Recommendations** Update driftregion iso14229 versions 14229 through 0.9.0 to a version that implements a `recv len` lower-bound check in the `Handle 0x27 SecurityAccess()` function. As a temporary workaround, restrict access to the `Handle 0x27 SecurityAccess()` function to minimize the risk of exploitation.