PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23750 Golioth CVE debrief

CVE-2026-23750 is a heap-based buffer overflow vulnerability in Golioth Pouch version 0.1.0, prior to commit 1b2219a1. The vulnerability occurs in the BLE GATT server certificate handling. The server_cert_write() function allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

Vendor
Golioth
Product
Pouch
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-26
Original CVE updated
2026-07-14
Advisory published
2026-02-26
Advisory updated
2026-07-14

Who should care

Organizations using Golioth Pouch version 0.1.0 prior to commit 1b2219a1 should be aware of this vulnerability. The vulnerability has a CVSS score of 7.2 and is classified as HIGH severity. The vulnerability can be exploited by an adjacent BLE client, and the impact includes heap overflow, crash, and potential memory corruption.

Technical summary

The vulnerability is caused by the server_cert_write() function allocating a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appending subsequent fragments using memcpy() without verifying that sufficient capacity remains. This allows an adjacent BLE client to send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption. The vulnerability is classified as CWE-122.

Defensive priority

High

Recommended defensive actions

  • Inventory and verify affected Golioth Pouch installations
  • Apply patch or upgrade to a fixed version
  • Implement compensating controls to detect and prevent exploitation
  • Monitor for suspicious BLE activity
  • Exception tracking and retest

Evidence notes

The CVE record was published on 2026-02-26T18:23:06.980Z and was last modified on 2026-07-14T16:16:53.030Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 7.2 and is classified as HIGH severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-26T18:23:06.980Z and has not been modified since then. The NVD entry is currently Deferred.