PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23748 Golioth CVE debrief

CVE-2026-23748 is an out-of-bounds read vulnerability in the Golioth Firmware SDK versions 0.10.0 prior to 0.22.0. The vulnerability was fixed in commit d7f55b38. An out-of-bounds read occurs in LightDB State string parsing when processing a string payload with a payload_size value less than 2, causing a size_t underflow. This underflow leads to memcpy() reading past the end of the network buffer, potentially crashing the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service.

Vendor
Golioth
Product
Firmware SDK
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-26
Original CVE updated
2026-07-14
Advisory published
2026-02-26
Advisory updated
2026-07-14

Who should care

Users of Golioth Firmware SDK versions 0.10.0 through 0.21.0 should update to version 0.22.0 or later to mitigate this vulnerability. This vulnerability is particularly concerning for IoT device manufacturers and developers using the Golioth Firmware SDK, as it can lead to device crashes and potential denial-of-service attacks.

Technical summary

The Golioth Firmware SDK versions 0.10.0 prior to 0.22.0 contain an out-of-bounds read vulnerability in LightDB State string parsing. When processing a string payload with a payload_size value less than 2, a size_t underflow occurs, leading to memcpy() reading past the end of the network buffer. This can cause the device to crash. The vulnerability is reachable from the on_payload function, and the golioth_payload_is_null() function does not prevent payload_size==1. A malicious server or man-in-the-middle (MITM) can exploit this vulnerability to trigger a denial-of-service attack.

Defensive priority

High

Recommended defensive actions

  • Update Golioth Firmware SDK to version 0.22.0 or later
  • Implement input validation for payload_size values
  • Monitor for suspicious network activity
  • Use secure communication protocols
  • Regularly review and update firmware

Evidence notes

The CVE record was published on 2026-02-26T18:23:06.550Z and was last modified on 2026-07-14T16:16:52.773Z. The NVD entry is currently Deferred. The vulnerability was disclosed by Secmate and Vulncheck.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-26T18:23:06.550Z and has not been modified since then. The NVD entry is currently Deferred.