Description
In EmberZNet v9.0.2 and earlier, a malformed GetProfileResponse message can trigger out-of-bounds reads while iterating interval entries and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Simple Metering cluster may be impacted.
Published: 2026-06-25
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can craft a malformed GetProfileResponse message for the Simple Metering cluster, which, when processed by EmberZNet v9.0.2 or earlier, causes an out‑of‑bounds read while iterating interval entries. The read triggers a process termination, resulting in a denial‑of‑service condition. No confidential data is leaked back to the attacker. The flaw falls under CWE‑125: Incorrect Boundary Conditions.

Affected Systems

Silicon Labs EmberZNet firmware versions 9.0.2 and earlier are affected. Only devices that support the Simple Metering cluster are vulnerable, so typical Zigbee appliances such as smart meters or energy‑management units running the affected firmware are at risk. Devices without the Simple Metering cluster are not impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high risk. EPSS is not available, but the flaw requires a source device already on the Zigbee network to send the malformed message, suggesting a moderate exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, reducing immediacy of observed attacks. Nonetheless, any device using the vulnerable firmware that can communicate within the network remains at risk for a local denial‑of‑service attack.

Generated by OpenCVE AI on June 25, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all devices to the latest EmberZNet firmware that fixes the Simple Metering GetProfileResponse bug.
  • If an upgrade is not immediately feasible, disable the Simple Metering cluster on affected devices to prevent reception of GetProfileResponse messages.
  • Monitor your Zigbee network for abrupt resets or crash logs from EmberZNet nodes, and promptly isolate any devices exhibiting this behavior.

Generated by OpenCVE AI on June 25, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description In EmberZNet v9.0.2 and earlier, a malformed GetProfileResponse message can trigger out-of-bounds reads while iterating interval entries and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Simple Metering cluster may be impacted.
Title Simple Metering GetProfileResponse interval-bounds bug in EmberZNet v9.0.2
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Silabs

Published:

Updated: 2026-06-25T14:19:07.404Z

Reserved: 2026-05-18T20:02:03.670Z

Link: CVE-2026-47154

cve-icon Vulnrichment

Updated: 2026-06-25T14:19:03.701Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T15:30:16Z

Weaknesses