Description
In EmberZNet v9.0.2 and earlier, malformed OTA requests can drive the OTA server parser into out-of-bounds reads. A limited amount of data from RAM is read back to the requester. The size and location of this data is limited. These requests must come from a device that has already joined the network. Only devices supporting the OTA Server cluster may be impacted.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The OTA server’s raw parser in EmberZNet v9.0.2 and earlier fails to perform per‑field bounds validation on malformed OTA requests, allowing an out‑of‑bounds read that leaks a small, limited chunk of RAM contents to the requester. The weakness is identified as CWE‑125 and could expose sensitive data to an attacker.

Affected Systems

Silicon Labs EmberZNet firmware versions 9.0.2 and earlier are affected. Any device that has joined the network and implements the OTA Server cluster is vulnerable, as the attacker must send malformed OTA messages to that device.

Risk and Exploitability

The CVSS score of 7.1 classifies this vulnerability as high severity. EPSS data is not available, so the exact exploitation probability is unknown, and the issue is not listed in CISA KEV. The likely attack vector requires an attacker to be a member of the network that can issue OTA requests; successful exploitation would allow reading a few bytes of memory, potentially leaking proprietary information.

Generated by OpenCVE AI on June 25, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device’s EmberZNet firmware to a release that includes bounds validation for OTA requests.
  • If an upgrade is not immediately possible, disable or remove the OTA Server cluster from devices where it is not needed.
  • Enforce network‑level controls to block malformed OTA packets, such as firewall rules or packet inspection rules.
  • Monitor OTA logs for anomalous or oversized requests and investigate any suspicious activity.

Generated by OpenCVE AI on June 25, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description In EmberZNet v9.0.2 and earlier, malformed OTA requests can drive the OTA server parser into out-of-bounds reads. A limited amount of data from RAM is read back to the requester. The size and location of this data is limited. These requests must come from a device that has already joined the network. Only devices supporting the OTA Server cluster may be impacted.
Title OTA server raw parser missing per-field bounds validation in EmberZNet v9.0.2
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Silabs

Published:

Updated: 2026-06-25T14:15:25.935Z

Reserved: 2026-05-18T20:02:03.669Z

Link: CVE-2026-47147

cve-icon Vulnrichment

Updated: 2026-06-25T14:15:22.721Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T15:30:16Z

Weaknesses