{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23747", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-15T18:42:20.937Z", "datePublished": "2026-02-26T17:30:13.495Z", "dateUpdated": "2026-03-23T15:44:12.452Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Firmware SDK", "repo": "https://github.com/golioth/golioth-firmware-sdk", "vendor": "Golioth", "versions": [{"lessThan": "0.22.0", "status": "affected", "version": "0.10.0", "versionType": "semver"}, {"status": "unaffected", "version": "48f521bcc0187ada2b9cbdad31dc380e6c7b7332", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "value": "SecMate (https://secmate.dev)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit&nbsp;48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM."}], "value": "Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit\u00a048f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-23T15:44:12.452Z"}, "references": [{"tags": ["technical-description"], "url": "https://secmate.dev/disclosures/SECMATE-2025-0015"}, {"tags": ["technical-description", "exploit"], "url": "https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/"}, {"tags": ["release-notes"], "url": "https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0"}, {"tags": ["patch"], "url": "https://github.com/golioth/golioth-firmware-sdk/commit/48f521bcc0187ada2b9cbdad31dc380e6c7b7332"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/golioth-firmware-sdk-payload-utils-stack-based-buffer-overflow"}], "source": {"discovery": "EXTERNAL"}, "title": "Golioth Firmware SDK < 0.22.0 Payload Utils Stack-based Buffer Overflow", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T16:07:17.351702Z", "id": "CVE-2026-23747", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:07:30.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23747", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T16:07:17.351702Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T16:07:21.478Z"}}], "cna": {"title": "Golioth Firmware SDK < 0.22.0 Payload Utils Stack-based Buffer Overflow", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "SecMate (https://secmate.dev)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/golioth/golioth-firmware-sdk", "vendor": "Golioth", "product": "Firmware SDK", "versions": [{"status": "affected", "version": "0.10.0", "lessThan": "0.22.0", "versionType": "semver"}, {"status": "unaffected", "version": "commit 48f521b", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://secmate.dev/disclosures/SECMATE-2025-0015", "tags": ["technical-description"]}, {"url": "https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0", "tags": ["release-notes"]}, {"url": "https://github.com/golioth/golioth-firmware-sdk/commit/48f521bcc0187ada2b9cbdad31dc380e6c7b7332", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/golioth-firmware-sdk-payload-utils-stack-based-buffer-overflow", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit\u00a048f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM.", "supportingMedia": [{"type": "text/html", "value": "Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit&nbsp;48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-02-27T14:52:21.958Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23747", "state": "PUBLISHED", "dateUpdated": "2026-02-27T16:07:30.232Z", "dateReserved": "2026-01-15T18:42:20.937Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-02-26T17:30:13.495Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit\u00a048f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM."}, {"lang": "es", "value": "La versi\u00f3n 0.10.0 del SDK de firmware de Golioth anterior a la 0.22.0, corregida en el commit 48f521b, contiene un desbordamiento de b\u00fafer basado en pila en Payload Utils. Las funciones auxiliares golioth_payload_as_int() y golioth_payload_as_float() copian datos de carga \u00fatil suministrados por la red en b\u00faferes de pila de tama\u00f1o fijo usando memcpy() con una longitud derivada de payload_size. Las \u00fanicas comprobaciones de longitud est\u00e1n protegidas por assert(); en las compilaciones de lanzamiento, los asserts se eliminan en la compilaci\u00f3n y memcpy() puede copiar un payload_size ilimitado. Las cargas \u00fatiles de m\u00e1s de 12 bytes ('int') o 32 bytes ('float') pueden desbordar la pila, lo que resulta en un fallo/denegaci\u00f3n de servicio. Esto es accesible a trav\u00e9s de LightDB State on_payload con un servidor malicioso o MitM."}], "id": "CVE-2026-23747", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-02-26T18:23:06.317", "references": [{"source": "disclosure@vulncheck.com", "url": "https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/golioth/golioth-firmware-sdk/commit/48f521bcc0187ada2b9cbdad31dc380e6c7b7332"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0"}, {"source": "disclosure@vulncheck.com", "url": "https://secmate.dev/disclosures/SECMATE-2025-0015"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/golioth-firmware-sdk-payload-utils-stack-based-buffer-overflow"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.10.0,0.22.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "commit 48f521b"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Firmware SDK", "source": "cna", "vendor": "Golioth"}, "product": "firmware_sdk", "vendor": "golioth"}], "analysis": {"en": {"generated_at": "2026-04-16T06:02:08.331316+00:00", "value": {"mitigation_remediation": ["Upgrade the Golioth Firmware SDK to version 0.22.0 or later, which includes the fixed memcpy logic.", "If an upgrade cannot be performed immediately, validate all incoming payload sizes and reject or truncate any integer payloads larger than 12 bytes or floating\u2011point payloads larger than 32 bytes before calling the affected functions.", "Monitor device logs for sudden crashes or abnormal memory usage that may indicate attempts to trigger the overflow and apply patches as soon as the environment permits."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Golioth Firmware SDK installations built from version 0.10.0 up to, but not including, 0.22.0 are affected. The exploit relies on the SDK being used in environments where LightDB State on_payload is active and can receive payloads from a server or man\u2011in\u2011the\u2011middle attacker.", "description_and_impact": "A stack\u2011based buffer overflow exists in the Golioth Firmware SDK\u2019s Payload Utils, specifically in the golioth_payload_as_int() and golioth_payload_as_float() functions. The vulnerability arises from unchecked memcpy() calls that copy network\u2011supplied payload data into fixed\u2011size stack buffers without verifying the payload length. When the payload exceeds 12 bytes for integers or 32 bytes for floats, the overflow can corrupt the stack, causing a crash and denying service to the device. The overflow does not provide direct code execution but can be leveraged to disrupt firmware operation.", "risk_and_exploitability": "The CVSS score of 6.3 indicates a moderate risk level, while the EPSS probability of less than 1% suggests exploit attempts are expected to be very rare. The vulnerability is not listed in the CISA KEV catalog. The attack vector is reachable through the LightDB State on_payload interface, requiring an attacker to supply a malicious server\u2011generated payload that exceeds the safe buffer limits. If executed, the exploit would crash the firmware, causing a denial of service but not providing remote control or data exfiltration capabilities."}}}}, "created": "2026-02-27T09:07:19.943818+00:00", "updated": "2026-04-16T06:15:26.884839+00:00", "vendors": ["golioth", "golioth$PRODUCT$firmware_sdk"]}