PatchSiren cyber security CVE debrief
CVE-2026-23749 Golioth CVE debrief
CVE-2026-23749 is an out-of-bounds read vulnerability in Golioth Firmware SDK versions prior to 0.22.0. The issue is caused by improper null termination of a blockwise transfer path. The blockwise_transfer_init() function accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this buffer can read past the end of the allocation, resulting in a crash or denial of service. The input is application-controlled (not network by default).
- Vendor
- Golioth
- Product
- Firmware SDK
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-07-14
Who should care
Developers and users of Golioth Firmware SDK versions prior to 0.22.0 should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and modifying the blockwise_transfer_init() function to ensure proper null termination of the path and implementing additional checks to prevent out-of-bounds reads.
Technical summary
The vulnerability is caused by improper null termination of a blockwise transfer path in the Golioth Firmware SDK. The blockwise_transfer_init() function copies a path using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. This can lead to an out-of-bounds read when strlen() is called on the buffer. The issue affects Golioth Firmware SDK versions prior to 0.22.0.
Defensive priority
Medium
Recommended defensive actions
- Update to Golioth Firmware SDK version 0.22.0 or later
- Review and modify the blockwise_transfer_init() function to ensure proper null termination of the path
- Implement additional checks to prevent out-of-bounds reads
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-02-26T18:23:06.763Z and has not been modified since then. The NVD entry is currently Deferred. There are no additional details available about the vulnerability beyond what is provided in the CVE record and NVD entry.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-26T18:23:06.763Z and has not been modified since then.