CVE-2026-56111 | Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1, wh… | CVSS 9.1 CRITICAL

Description

Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1, when built with MESH_BED_LEVELING enabled, contains an out-of-bounds write vulnerability in the M421 G-code handler that allows attackers to corrupt firmware memory by supplying out-of-range X and Y grid indices. Attackers can send a single crafted G-code command via USB serial, network interface, or malicious gcode file to write an attacker-controlled 32-bit float value past the z_values array bounds, corrupting adjacent firmware variables and causing denial of service or firmware state corruption.

Metadata

CVE ID: CVE-2026-56111
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-18 19:15 UTC
Published: 2026-06-24 14:31 UTC
Last updated: 2026-06-24 15:52 UTC
Primary CWE: CWE-129
Improper Validation of Array Index
Vendor / Product: MarlinFirmware / Marlin
Sources: cve.org · NVD

Severity & Metrics

9.1 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
MarlinFirmware	Marlin	—	0 ≤ 2.1.2.7, 1f255d16ec2d456454fd444494cfb338d62b0fa1

Weakness (CWE)

CWE	Source	Description
CWE-129	cna	Improper Validation of Array Index

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.1	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
8.3	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)

Researcher Disclosure https://github.com/MarlinFirmware/Marlin/issues/28467
Pull Request https://github.com/MarlinFirmware/Marlin/pull/28468
Patch Commit https://github.com/MarlinFirmware/Marlin/commit/1f255d16ec2d456454fd444494cfb338d62b0fa1
https://www.vulncheck.com/advisories/marlin-firmware-out-of-bounds-write-via-m421-g-code-handler