CVE-2026-23747

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23747
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM.

3.7 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
https://github.com/golioth/golioth-firmware-sdk/commit/48f521bcc0187ada2b9cbdad31dc380e6c7b7332
https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
https://secmate.dev/disclosures/SECMATE-2025-0015
https://www.vulncheck.com/advisories/golioth-firmware-sdk-payload-utils-stack-based-buffer-overflow
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) La versión 0.10.0 del SDK de firmware de Golioth anterior a la 0.22.0, corregida en el commit 48f521b, contiene un desbordamiento de búfer basado en pila en Payload Utils. Las funciones auxiliares golioth_payload_as_int() y golioth_payload_as_float() copian datos de carga útil suministrados por la red en búferes de pila de tamaño fijo usando memcpy() con una longitud derivada de payload_size. Las únicas comprobaciones de longitud están protegidas por assert(); en las compilaciones de lanzamiento, los asserts se eliminan en la compilación y memcpy() puede copiar un payload_size ilimitado. Las cargas útiles de más de 12 bytes ('int') o 32 bytes ('float') pueden desbordar la pila, lo que resulta en un fallo/denegación de servicio. Esto es accesible a través de LightDB State on_payload con un servidor malicioso o MitM.

27 Feb 2026, 15:16

Type Values Removed Values Added
References
  • () https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/ -

26 Feb 2026, 19:32

Type Values Removed Values Added
References
  • () https://secmate.dev/disclosures/SECMATE-2025-0015 -

26 Feb 2026, 18:23

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-26 18:23

Updated : 2026-04-15 00:35

NVD link : CVE-2026-23747

Mitre link : CVE-2026-23747

CVE.ORG link : CVE-2026-23747

JSON object : View

Products Affected

No product.

CWE
CWE-121

Stack-based Buffer Overflow