PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-56364 Project CHIP CVE debrief

CVE-2025-56364 is a high-severity vulnerability in the Matter SDK, allowing for denial of service through SIGABRT. A use of uninitialized value vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, where the `GetDestinationGroupId().Value()` method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID. The issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access. The vulnerability has a CVSS score of 7.5 and a HIGH severity rating.

Vendor
Project CHIP
Product
Matter SDK (connectedhomeip)
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-17
Advisory published
2026-07-14
Advisory updated
2026-07-17

Who should care

Users of the Matter SDK (connectedhomeip) before version 1.4.0 should be aware of this vulnerability and take steps to mitigate it. This includes developers and administrators working with the Matter SDK, as well as organizations using products that rely on this SDK. The vulnerability has a CVSS score of 7.5 and a HIGH severity rating.

Technical summary

The vulnerability exists in the Matter SDK (connectedhomeip) before version 1.4.0. The `GetDestinationGroupId().Value()` method is called without first checking whether a value exists, leading to a crash when an InvokeCommand is sent without initializing the destination group ID. The issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access. The vulnerability has a CVSS score of 7.5 and a HIGH severity rating.

Defensive priority

High

Recommended defensive actions

  • Inventory and assess affected systems
  • Apply the patch or upgrade to version 1.4.0 or later
  • Monitor for potential exploitation attempts
  • Implement compensating controls to mitigate potential impact
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-14T23:17:27.467Z and was last modified on 2026-07-17T03:00:07.473Z. The NVD entry is currently Analyzed. The vulnerability details are based on the Matter SDK (connectedhomeip) before 1.4.0. The `GetDestinationGroupId().Value()` method is called without first checking whether a value exists, leading to a crash when an InvokeCommand is sent without initializing the destination group ID. This issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access. The source detail is limited, and defenders should verify the affected scope and severity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T23:17:27.467Z and has not been modified since then. The NVD entry is currently Analyzed.