Home

Description

Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service.

PUBLISHED Reserved 2026-01-15 | Published 2026-02-26 | Updated 2026-02-26 | Assigner VulnCheck




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-191 Integer Underflow (Wrap or Wraparound)

Product status

Default status
unaffected

0.10.0 (semver) before 0.22.0
affected

commit d7f55b38 (custom)
unaffected

Credits

SecMate (https://secmate.dev) finder

References

secmate.dev/disclosures/SECMATE-2025-0016 technical-description

github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0 release-notes

github.com/...ommit/d7f55b380d8be8b29bd101ce06e421af2e88c12b patch

www.vulncheck.com/...re-sdk-lightdb-state-out-of-bounds-read third-party-advisory

cve.org (CVE-2026-23748)

nvd.nist.gov (CVE-2026-23748)

Download JSON