CVE-2026-23750

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23750
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
https://github.com/golioth/pouch/commit/1b2219a1
https://secmate.dev/disclosures/SECMATE-2025-0018
https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow
Configurations

No configuration.

History

27 Feb 2026, 15:16

Type Values Removed Values Added
References
  • () https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/ -

26 Feb 2026, 19:32

Type Values Removed Values Added
References
  • {'url': 'https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0', 'source': 'disclosure@vulncheck.com'}
  • () https://secmate.dev/disclosures/SECMATE-2025-0018 -
Summary (en) Golioth Pouch version 0.1.0 prior to [INSERT FIXED VERSION], fixed in commit 1b2219a1, contain a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption. (en) Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

26 Feb 2026, 18:23

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-26 18:23

Updated : 2026-02-27 15:16

NVD link : CVE-2026-23750

Mitre link : CVE-2026-23750

CVE.ORG link : CVE-2026-23750

JSON object : View

Products Affected

No product.

CWE
CWE-122

Heap-based Buffer Overflow