Description
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM.
Published: 2026-02-26
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A stack‑based buffer overflow exists in the Golioth Firmware SDK’s Payload Utils, specifically in the golioth_payload_as_int() and golioth_payload_as_float() functions. The vulnerability arises from unchecked memcpy() calls that copy network‑supplied payload data into fixed‑size stack buffers without verifying the payload length. When the payload exceeds 12 bytes for integers or 32 bytes for floats, the overflow can corrupt the stack, causing a crash and denying service to the device. The overflow does not provide direct code execution but can be leveraged to disrupt firmware operation.

Affected Systems

All Golioth Firmware SDK installations built from version 0.10.0 up to, but not including, 0.22.0 are affected. The exploit relies on the SDK being used in environments where LightDB State on_payload is active and can receive payloads from a server or man‑in‑the‑middle attacker.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate risk level, while the EPSS probability of less than 1% suggests exploit attempts are expected to be very rare. The vulnerability is not listed in the CISA KEV catalog. The attack vector is reachable through the LightDB State on_payload interface, requiring an attacker to supply a malicious server‑generated payload that exceeds the safe buffer limits. If executed, the exploit would crash the firmware, causing a denial of service but not providing remote control or data exfiltration capabilities.

Generated by OpenCVE AI on April 16, 2026 at 06:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Golioth Firmware SDK to version 0.22.0 or later, which includes the fixed memcpy logic.
  • If an upgrade cannot be performed immediately, validate all incoming payload sizes and reject or truncate any integer payloads larger than 12 bytes or floating‑point payloads larger than 32 bytes before calling the affected functions.
  • Monitor device logs for sudden crashes or abnormal memory usage that may indicate attempts to trigger the overflow and apply patches as soon as the environment permits.

Generated by OpenCVE AI on April 16, 2026 at 06:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
References

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Golioth
Golioth firmware Sdk
Vendors & Products Golioth
Golioth firmware Sdk

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM.
Title Golioth Firmware SDK < 0.22.0 Payload Utils Stack-based Buffer Overflow
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Golioth Firmware Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:12.452Z

Reserved: 2026-01-15T18:42:20.937Z

Link: CVE-2026-23747

cve-icon Vulnrichment

Updated: 2026-02-27T16:07:21.478Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T18:23:06.317

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses