Description
In EmberZNet v9.0.2 and earlier, malformed GetGroupMembership commands can trigger repeated reads past the end of the message payload and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Groups cluster may be impacted.
Published: 2026-06-25
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Malformed GetGroupMembership commands in EmberZNet v9.0.2 and earlier can cause the device to repeatedly read past the end of the message payload, triggering a process termination. The fault does not leak data back to the sender, but it can crash any node that supports the Groups cluster, disrupting network operations and potentially causing a denial of service for devices relying on that firmware.

Affected Systems

Silicon Labs EmberZNet firmware v9.0.2 and all earlier releases are affected. Only devices that support the Groups cluster are susceptible to the crash. No other vendors or product versions are impacted according to the CNA data.

Risk and Exploitability

The CVSS score of 7.1 classifies the flaw as high severity, indicating significant impact if exploited. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited widespread exploitation to date. However, the attack vector requires a device that has already joined the network and the ability to send malformed GetGroupMembership messages locally, which is feasible for an attacker with network access. The risk is moderate to high for networks with unsupervised or legacy firmware.

Generated by OpenCVE AI on June 25, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EmberZNet firmware to a version that includes the buffer over‑read fix (e.g., 9.0.3 or later).
  • If an upgrade is not immediately possible, disable or remove the Groups cluster on the affected devices to eliminate the crash trigger.
  • Continuously monitor the network for abnormal node restarts or firmware logs, and isolate any nodes exhibiting crashes until the fix is applied.
  • Segment the Zigbee network to restrict access to trusted devices only, reducing the attacker’s ability to send malformed GetGroupMembership messages.

Generated by OpenCVE AI on June 25, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Silicon Labs
Silicon Labs emberznet
Vendors & Products Silicon Labs
Silicon Labs emberznet

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description In EmberZNet v9.0.2 and earlier, malformed GetGroupMembership commands can trigger repeated reads past the end of the message payload and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Groups cluster may be impacted.
Title Groups GetGroupMembership count/list-length mismatch in EmberZNet v9.0.2
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Silicon Labs Emberznet
cve-icon MITRE

Status: PUBLISHED

Assigner: Silabs

Published:

Updated: 2026-06-25T14:15:48.254Z

Reserved: 2026-05-18T20:02:03.669Z

Link: CVE-2026-47148

cve-icon Vulnrichment

Updated: 2026-06-25T14:15:45.595Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:56Z

Weaknesses