CVE-2026-23748

Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
https://github.com/golioth/golioth-firmware-sdk/commit/d7f55b380d8be8b29bd101ce06e421af2e88c12b
https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
https://secmate.dev/disclosures/SECMATE-2025-0016
https://www.vulncheck.com/advisories/golioth-firmware-sdk-lightdb-state-out-of-bounds-read

Configurations

No configuration.

History

27 Feb 2026, 15:16

Type	Values Removed	Values Added
References		() https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/ -

26 Feb 2026, 19:32

Type	Values Removed	Values Added
References		() https://secmate.dev/disclosures/SECMATE-2025-0016 -

26 Feb 2026, 18:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-26 18:23

Updated : 2026-02-27 15:16

NVD link : CVE-2026-23748

Mitre link : CVE-2026-23748

CVE.ORG link : CVE-2026-23748

JSON object : View

Products Affected

No product.

CWE

CWE-191

Integer Underflow (Wrap or Wraparound)

{"id": "CVE-2026-23748", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-26T18:23:06.550", "references": [{"url": "https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/golioth/golioth-firmware-sdk/commit/d7f55b380d8be8b29bd101ce06e421af2e88c12b", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0", "source": "disclosure@vulncheck.com"}, {"url": "https://secmate.dev/disclosures/SECMATE-2025-0016", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/golioth-firmware-sdk-lightdb-state-out-of-bounds-read", "source": "disclosure@vulncheck.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-191"}]}], "descriptions": [{"lang": "en", "value": "Golioth Firmware SDK version\u00a00.10.0 prior to 0.22.0, fixed in commit\u00a0d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service."}], "lastModified": "2026-02-27T15:16:29.030", "sourceIdentifier": "disclosure@vulncheck.com"}