Description
In EmberZNet v9.0.2 and earlier, malformed or out-of-range Door Lock user identifiers can trigger out-of-bounds table reads and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Door Lock cluster may be impacted.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Malformed or out‑of‑range Door Lock user identifiers in EmberZNet firmware 9.0.2 and earlier trigger an out‑of‑bounds table read that terminates the device process. No evidence of data leakage to the attacker was observed, but the loss of the service constitutes a denial‑of‑service attack.

Affected Systems

Only devices that support the Door Lock cluster and run Silicon Labs EmberZNet firmware 9.0.2 or older are affected. This includes all networked devices running the affected firmware that implement the Door Lock cluster.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk for denial of service. The EPSS score is not available, making it unclear how frequently this flaw is exploited today, and the vulnerability is not listed in the CISA KEV catalog. Because the trigger messages must originate from a device that has already joined the network, an attacker can exploit the flaw by sending malformed GetUserType requests on the local network, causing the targeted device to crash without leaking sensitive information.

Generated by OpenCVE AI on June 25, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all EmberZNet firmware to the latest version that fixes the Buffer Over‑Read in the Door Lock GetUserType command. This update performs proper bounds checking on the user identifier.
  • If an immediate firmware upgrade is not possible, disable the Door Lock cluster on affected devices or restrict the cluster to trusted endpoints to eliminate the attack surface. This mitigates the denial‑of‑service damage until a patch can be applied.
  • Monitor the network for anomalous Door Lock GetUserType messages, especially from devices that do not normally use the Door Lock cluster, and isolate or quarantine any devices that exhibit repeated failures.

Generated by OpenCVE AI on June 25, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description In EmberZNet v9.0.2 and earlier, malformed or out-of-range Door Lock user identifiers can trigger out-of-bounds table reads and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Door Lock cluster may be impacted.
Title Door Lock GetUserType invalid table index in EmberZNet v9.0.2
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Silabs

Published:

Updated: 2026-06-25T14:06:13.766Z

Reserved: 2026-05-18T20:02:03.669Z

Link: CVE-2026-47149

cve-icon Vulnrichment

Updated: 2026-06-25T14:06:10.863Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T15:30:16Z

Weaknesses