CVE-2026-41429

Name of the Vulnerable Software and Affected Versions arduino-esp32 versions prior to 3.3.8

Description A remotely reachable memory corruption issue exists in the NBNS packet handling path. When NetBIOS is enabled via the NBNS.begin() function, the device listens on UDP port 137 and processes untrusted NBNS requests from the local network. The request parser trusts the attacker-controlled name len field without enforcing a bound consistent with the fixed-size destination buffers used later in the flow.

Recommendations Update to version 3.3.8. As a temporary workaround, avoid calling the NBNS.begin() function to disable NetBIOS functionality.