Description
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
Published: 2026-02-26
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based buffer overflow causing memory corruption and potential compromise of integrity
Action: Patch immediately
AI Analysis

Impact

Golioth Pouch version 0.1.0 before commit 1b2219a1 contains a heap-based buffer overflow in the BLE GATT server certificate handling. The server_cert_write() routine allocates a buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment and later uses memcpy() to append subsequent fragments without verifying that the buffer still has enough capacity. An unauthenticated BLE client can send fragments whose combined size exceeds the allocated buffer, leading to a heap overflow that can crash the service and, because memory corruption is involved, also threaten the integrity of data stored on the device.

Affected Systems

The vulnerable product is Golioth Pouch, a BLE GATT server application released by Golioth. The issue affects version 0.1.0 and any releases before the security commit identified by hash 1b2219a1, which provides the necessary fix.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low likelihood of exploitation in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, an attacker with the ability to communicate over BLE with the affected device could send unauthenticated certificate fragments that exceed the predetermined buffer limit. This would trigger a heap overflow, potentially leading to a crash and memory corruption that can alter device state.

Generated by OpenCVE AI on April 16, 2026 at 06:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Golioth Pouch to a version that incorporates commit 1b2219a1 or later.
  • Modify server_cert_write() to enforce strict bounds checking against CONFIG_POUCH_SERVER_CERT_MAX_LEN before each memcpy operation.
  • If a patch cannot be applied immediately, disable or limit the BLE GATT server so that only authenticated clients can connect, or block BLE traffic to the device entirely.

Generated by OpenCVE AI on April 16, 2026 at 06:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
References

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Golioth
Golioth pouch
Vendors & Products Golioth
Golioth pouch

Thu, 26 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
References

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description Golioth Pouch version 0.1.0 prior to [INSERT FIXED VERSION], fixed in commit 1b2219a1, contain a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption. Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
References

Thu, 26 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Golioth Pouch version 0.1.0 prior to [INSERT FIXED VERSION], fixed in commit 1b2219a1, contain a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
Title Golioth Pouch < [INSERT FIXED VERSION] BLE GATT Heap-based Buffer Overflow
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Golioth Pouch
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T15:44:14.766Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23750

cve-icon Vulnrichment

Updated: 2026-02-27T16:05:29.715Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T18:23:06.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses