FKIE_CVE-2026-23748

Vulnerability from fkie_nvd - Published: 2026-02-26 18:23 - Updated: 2026-04-15 00:35
Severity ?
3.7 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service.
References
disclosure@vulncheck.comhttps://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
disclosure@vulncheck.comhttps://github.com/golioth/golioth-firmware-sdk/commit/d7f55b380d8be8b29bd101ce06e421af2e88c12b
disclosure@vulncheck.comhttps://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
disclosure@vulncheck.comhttps://secmate.dev/disclosures/SECMATE-2025-0016
disclosure@vulncheck.comhttps://www.vulncheck.com/advisories/golioth-firmware-sdk-lightdb-state-out-of-bounds-read
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Golioth Firmware SDK version\u00a00.10.0 prior to 0.22.0, fixed in commit\u00a0d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service."
    },
    {
      "lang": "es",
      "value": "Golioth Firmware SDK versi\u00f3n 0.10.0 anterior a la 0.22.0, corregida en el commit d7f55b38, contienen una lectura fuera de l\u00edmites en el an\u00e1lisis de cadenas de LightDB State. Al procesar una carga \u00fatil de cadena, un valor de payload_size inferior a 2 puede causar un underflow de size_t al calcular el n\u00famero de bytes a copiar (nbytes). El memcpy() subsiguiente lee m\u00e1s all\u00e1 del final del b\u00fafer de red, lo que puede bloquear el dispositivo. La condici\u00f3n es alcanzable desde on_payload, y golioth_payload_is_null() no bloquea payload_size==1. Un servidor malicioso o MitM puede desencadenar una denegaci\u00f3n de servicio."
    }
  ],
  "id": "CVE-2026-23748",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-26T18:23:06.550",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/golioth/golioth-firmware-sdk/commit/d7f55b380d8be8b29bd101ce06e421af2e88c12b"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://secmate.dev/disclosures/SECMATE-2025-0016"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.vulncheck.com/advisories/golioth-firmware-sdk-lightdb-state-out-of-bounds-read"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-191"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.