Semtech LR1110 LoRa transceivers running early firmware versions have a vulnerability (CWE-226) where sensitive decrypted firmware data is not cleared from memory after a firmware validation process. Specifically, when a host issues a firmware validity check command via SPI, the device decrypts the firmware package block-by-block but leaves the last decrypted block uncleared in memory. An attacker with physical SPI interface access can issue memory read commands to retrieve this decrypted firmware block, effectively bypassing the firmware encryption mechanism. This vulnerability impacts firmware confidentiality but requires physical device access and no privileges or user interaction.

The vulnerability allows an attacker with physical access to the SPI interface to read decrypted firmware contents from residual memory after a firmware validation operation. This leads to disclosure of sensitive firmware data that should be protected by encryption. The impact is limited to confidentiality loss of firmware code. There is no indication of privilege escalation, denial of service, or integrity compromise. No known exploits are reported in the wild. The attack complexity is low given physical access, but the requirement for physical SPI interface access limits remote exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict physical access to devices and their SPI interfaces to trusted personnel only. Monitor Semtech communications for firmware updates addressing this issue. No other specific mitigations are documented at this time.