PatchSiren cyber security CVE debrief
CVE-2025-56364 Project CHIP CVE debrief
CVE-2025-56364 is a high-severity vulnerability in the Matter SDK, allowing for denial of service through SIGABRT. A use of uninitialized value vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, where the `GetDestinationGroupId().Value()` method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID. The issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access. The vulnerability has a CVSS score of 7.5 and a HIGH severity rating.
- Vendor
- Project CHIP
- Product
- Matter SDK (connectedhomeip)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-17
Who should care
Users of the Matter SDK (connectedhomeip) before version 1.4.0 should be aware of this vulnerability and take steps to mitigate it. This includes developers and administrators working with the Matter SDK, as well as organizations using products that rely on this SDK. The vulnerability has a CVSS score of 7.5 and a HIGH severity rating.
Technical summary
The vulnerability exists in the Matter SDK (connectedhomeip) before version 1.4.0. The `GetDestinationGroupId().Value()` method is called without first checking whether a value exists, leading to a crash when an InvokeCommand is sent without initializing the destination group ID. The issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access. The vulnerability has a CVSS score of 7.5 and a HIGH severity rating.
Defensive priority
High
Recommended defensive actions
- Inventory and assess affected systems
- Apply the patch or upgrade to version 1.4.0 or later
- Monitor for potential exploitation attempts
- Implement compensating controls to mitigate potential impact
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-14T23:17:27.467Z and was last modified on 2026-07-17T03:00:07.473Z. The NVD entry is currently Analyzed. The vulnerability details are based on the Matter SDK (connectedhomeip) before 1.4.0. The `GetDestinationGroupId().Value()` method is called without first checking whether a value exists, leading to a crash when an InvokeCommand is sent without initializing the destination group ID. This issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access. The source detail is limited, and defenders should verify the affected scope and severity.
Official resources
-
CVE-2025-56364 CVE record
CVE.org
-
CVE-2025-56364 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Product
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T23:17:27.467Z and has not been modified since then. The NVD entry is currently Analyzed.