PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23749 Golioth CVE debrief

CVE-2026-23749 is an out-of-bounds read vulnerability in Golioth Firmware SDK versions prior to 0.22.0. The issue is caused by improper null termination of a blockwise transfer path. The blockwise_transfer_init() function accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this buffer can read past the end of the allocation, resulting in a crash or denial of service. The input is application-controlled (not network by default).

Vendor
Golioth
Product
Firmware SDK
CVSS
LOW 2.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-26
Original CVE updated
2026-07-14
Advisory published
2026-02-26
Advisory updated
2026-07-14

Who should care

Developers and users of Golioth Firmware SDK versions prior to 0.22.0 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and modifying the blockwise_transfer_init() function to ensure proper null termination of the path and implementing additional checks to prevent out-of-bounds reads.

Technical summary

The vulnerability is caused by improper null termination of a blockwise transfer path in the Golioth Firmware SDK. The blockwise_transfer_init() function copies a path using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. This can lead to an out-of-bounds read when strlen() is called on the buffer. The issue affects Golioth Firmware SDK versions prior to 0.22.0.

Defensive priority

Medium

Recommended defensive actions

  • Update to Golioth Firmware SDK version 0.22.0 or later
  • Review and modify the blockwise_transfer_init() function to ensure proper null termination of the path
  • Implement additional checks to prevent out-of-bounds reads
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-02-26T18:23:06.763Z and has not been modified since then. The NVD entry is currently Deferred. There are no additional details available about the vulnerability beyond what is provided in the CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-26T18:23:06.763Z and has not been modified since then.