CVE-2026-23750

Sažetak

Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

Reference

https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
https://github.com/golioth/pouch/commit/1b2219a1
https://secmate.dev/disclosures/SECMATE-2025-0018
https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow

CVSS

Base:	8.1
Impact:	5.2
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
ADJACENT_NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Zadnje važnije ažuriranje

27-02-2026 - 15:16

Objavljeno

26-02-2026 - 18:23