PatchSiren

Golioth CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Golioth CVE published 2026-02-26

CVE-2026-23750

CVE-2026-23750 is a heap-based buffer overflow vulnerability in Golioth Pouch version 0.1.0, prior to commit 1b2219a1. The vulnerability occurs in the BLE GATT server certificate handling. The server_cert_write() function allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient cap [truncated]

LOW Golioth CVE published 2026-02-26

CVE-2026-23749

CVE-2026-23749 is an out-of-bounds read vulnerability in Golioth Firmware SDK versions prior to 0.22.0. The issue is caused by improper null termination of a blockwise transfer path. The blockwise_transfer_init() function accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen [truncated]

MEDIUM Golioth CVE published 2026-02-26

CVE-2026-23748

CVE-2026-23748 is an out-of-bounds read vulnerability in the Golioth Firmware SDK versions 0.10.0 prior to 0.22.0. The vulnerability was fixed in commit d7f55b38. An out-of-bounds read occurs in LightDB State string parsing when processing a string payload with a payload_size value less than 2, causing a size_t underflow. This underflow leads to memcpy() reading past the end of the network buffer, potenti [truncated]

MEDIUM Golioth CVE published 2026-02-26

CVE-2026-23747

The Golioth Firmware SDK, versions 0.10.0 to prior 0.22.0, contains a stack-based buffer overflow vulnerability in Payload Utils. This issue, fixed in commit 48f521b, arises from the golioth_payload_as_int() and golioth_payload_as_float() helpers, which copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The vulnerability is triggered wh [truncated]