Description
The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.
Published: 2026-04-07
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Encrypted Firmware
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the firmware validation routine of Semtech LR11xx LoRa transceivers. During a firmware validity check over the SPI interface, the device decrypts encrypted firmware blocks one by one. Unfortunately, the final decrypted block is not cleared from memory after validation completes, leaving residual data that can be read by subsequent memory read operations. This flaw effectively bypasses the encryption protection on firmware, allowing an attacker to retrieve confidential firmware contents and potentially compromise device integrity. The weakness corresponds to CWE‑226, a failure to properly delete or overwrite intermediate state data.

Affected Systems

Semtech LR1110, Semtech LR1120, and Semtech LR1121 transceivers running early firmware versions are affected. The specific firmware releases that contain the flaw are not enumerated in the public advisory, but the problem has been identified in the earliest builds of these boards.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and no EPSS data or KEV listing is available. This flaw is local; an attacker needs physical access to the device’s SPI interface to trigger decryption and extract memory contents. Because the attack does not rely on network or remote interfaces, exploitation risk is confined to environments where physical compromise is feasible. Nevertheless, recovery of the decrypted firmware can aid future attacks, so the vulnerability should be remediated promptly.

Generated by OpenCVE AI on April 7, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the firmware update recommended in Semtech’s security bulletin for the LR1110, LR1120, and LR1121 transceivers.
  • Secure the SPI interface by restricting physical access or applying access controls such as cable locks or port shielding.
  • Consider disabling unused SPI pins or implementing a protected memory region that clears decrypted data after use if firmware upgrade is not immediately possible.
  • Monitor device logs for anomalous SPI read activity that may indicate exploitation attempts.

Generated by OpenCVE AI on April 7, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.
Title Semtech LR11xx Encrypted Firmware Disclosure
First Time appeared Semtech
Semtech lr1110
Semtech lr1120
Semtech lr1121
Weaknesses CWE-226
CPEs cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*
cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*
cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*
Vendors & Products Semtech
Semtech lr1110
Semtech lr1120
Semtech lr1121
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:C/RE:M'}

Subscriptions

Semtech Lr1110 Lr1120 Lr1121
cve-icon MITRE

Status: PUBLISHED

Assigner: SWI

Published:

Updated: 2026-04-07T20:42:41.321Z

Reserved: 2025-12-18T00:09:38.279Z

Link: CVE-2025-14858

cve-icon Vulnrichment

Updated: 2026-04-07T20:37:57.438Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T20:16:22.397

Modified: 2026-04-08T21:27:00.663

Link: CVE-2025-14858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:56Z

Weaknesses