Home

Description

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, in the interaction model command processing logic. When an InvokeCommandRequest is sent to a nonexistent endpoint and cluster (e.g., 0x34), the code incorrectly treats the endpoint as valid due to missing checks in CodegenDataModelProvider::Invoke. This causes a VerifyOrDie failure in ProcessCommandDataIB and results in a crash (SIGABRT). The issue has been acknowledged and fixed in a later revision (PR #37207).

PUBLISHED Reserved 2025-08-16 | Published 2026-07-14 | Updated 2026-07-14 | Assigner mitre

References

github.com/project-chip/connectedhomeip/issues/37184

github.com/project-chip/connectedhomeip/pull/37207

github.com/project-chip/connectedhomeip/

cve.org (CVE-2025-56365)

nvd.nist.gov (CVE-2025-56365)

Download JSON