Description
In EmberZNet v9.0.2 and earlier, malformed global ZCL messages can trigger out-of-bounds reads in framework parsing logic and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In EmberZNet v9.0.2 and earlier, a flaw in the global ZCL command parser allows an attacker to send crafted ZCL messages that contain insufficient length checks, leading to an out‑of‑bounds read in the parsing routine and a process crash. The vulnerability is classified as a local denial of service, as it causes the Zigbee network stack to terminate without leaking any data back to the sender. The weakness corresponds to CWE‑125, which describes out‑of‑bounds read errors.

Affected Systems

The affected product is Silicon Labs' EmberZNet firmware versions 9.0.2 and all earlier releases. Devices running this firmware—typically Zigbee‑based IoT gateways, routers, or sensors that support global ZCL command processing—are susceptible. Only systems that are part of a Zigbee network and that accept global ZCL messages from joined devices face this risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity DoS risk. EPSS is not available, so the current exploit probability is unknown, but the vulnerability is not listed in CISA's KEV catalog, suggesting no widespread use yet. Exploitation requires a malicious or compromised device that has already joined the network and can send malformed ZCL frames; the attacker does not need elevation or external access. Because the flaw triggers a crash without informational leakage, the primary concern is service interruption, especially for critical IoT deployments that rely on continuous operation.

Generated by OpenCVE AI on June 25, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EmberZNet firmware to the latest available version, which includes the missing length validation fix.
  • If an immediate firmware update is not feasible, isolate or quarantine devices that might join the network from untrusted sources, and limit the types of ZCL commands accepted by the router.
  • Monitor network traffic for unusually large or malformed ZCL packets and generate alerts; if a crash occurs, investigate the causing device and revoke its network privileges.

Generated by OpenCVE AI on June 25, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description In EmberZNet v9.0.2 and earlier, malformed global ZCL messages can trigger out-of-bounds reads in framework parsing logic and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed.
Title Global ZCL command parser missing minimum-length validation in EmberZNet v9.0.2
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Silabs

Published:

Updated: 2026-06-25T14:04:28.563Z

Reserved: 2026-03-20T18:28:19.557Z

Link: CVE-2026-4526

cve-icon Vulnrichment

Updated: 2026-06-25T14:04:23.688Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:00:12Z

Weaknesses