CVE-2026-23750

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23750
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
https://github.com/golioth/pouch/commit/1b2219a1
https://secmate.dev/disclosures/SECMATE-2025-0018
https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Golioth Pouch versión 0.1.0, anterior al commit 1b2219a1, contiene un desbordamiento de búfer basado en montículo en el manejo de certificados del servidor BLE GATT. server_cert_write() asigna un búfer de montículo del tamaño CONFIG_POUCH_SERVER_CERT_MAX_LEN al recibir el primer fragmento, luego añade fragmentos subsiguientes usando memcpy() sin verificar que quede suficiente capacidad. Un cliente BLE adyacente puede enviar fragmentos no autenticados cuyo tamaño combinado excede el búfer asignado, causando un desbordamiento de montículo y un fallo; también es posible un impacto en la integridad debido a la corrupción de memoria.

27 Feb 2026, 15:16

Type Values Removed Values Added
References
  • () https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/ -

26 Feb 2026, 19:32

Type Values Removed Values Added
References
  • {'url': 'https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0', 'source': 'disclosure@vulncheck.com'}
  • () https://secmate.dev/disclosures/SECMATE-2025-0018 -
Summary (en) Golioth Pouch version 0.1.0 prior to [INSERT FIXED VERSION], fixed in commit 1b2219a1, contain a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption. (en) Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

26 Feb 2026, 18:23

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-26 18:23

Updated : 2026-04-15 00:35

NVD link : CVE-2026-23750

Mitre link : CVE-2026-23750

CVE.ORG link : CVE-2026-23750

JSON object : View

Products Affected

No product.

CWE
CWE-122

Heap-based Buffer Overflow