CVE-2026-23747 is a stack-based buffer overflow vulnerability identified in the Golioth Firmware SDK, specifically in versions prior to 0.22.0, with version 0.10.0 confirmed affected. The flaw exists in the Payload Utils helper functions golioth_payload_as_int() and golioth_payload_as_float(), which handle conversion of network-received payload data into integer and float types, respectively. These functions use memcpy() to copy payload data into fixed-size stack buffers (12 bytes for int, 32 bytes for float) based on the payload_size parameter. However, the only length checks are implemented as assert() statements, which are removed in release builds, allowing memcpy() to copy an unbounded amount of data if the payload_size exceeds buffer limits. This leads to a classic stack-based buffer overflow, which can corrupt the stack, cause application crashes, or potentially enable denial of service. The vulnerability is reachable remotely via the LightDB State on_payload interface, meaning an attacker controlling the server or performing a man-in-the-middle attack can send malicious payloads to trigger the overflow. The CVSS 4.0 score of 6.3 indicates a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on availability. No public exploits have been reported yet, but the vulnerability is fixed in commit 48f521b and versions 0.22.0 and later. This vulnerability highlights the risks of relying on assert-based validation for security-critical length checks in production code, especially in IoT firmware SDKs where remote payloads are common.

The primary impact of this vulnerability is denial of service through application crashes caused by stack corruption. In environments where Golioth Firmware SDK is used, typically IoT devices and embedded systems, this can lead to device unavailability or reboot loops, disrupting critical operations. Although the current known impact is limited to DoS, stack-based buffer overflows can sometimes be leveraged for arbitrary code execution or privilege escalation, depending on the device architecture and exploit complexity. Given that the vulnerability is remotely exploitable without authentication or user interaction, attackers can disrupt large numbers of devices by sending crafted payloads via the network. This can affect IoT deployments relying on Golioth’s LightDB State service, potentially impacting industrial, smart home, or other connected device ecosystems. The lack of known exploits reduces immediate risk, but the potential for future exploitation remains. Organizations using affected SDK versions risk operational disruption, reputational damage, and increased maintenance costs if devices become unstable or compromised.

Organizations should immediately upgrade all Golioth Firmware SDK instances to version 0.22.0 or later where this vulnerability is patched. Until upgrades are complete, implement strict input validation on all payload data received via LightDB State or other network interfaces to ensure payload sizes do not exceed expected limits (12 bytes for int, 32 bytes for float). Employ runtime protections such as stack canaries and address space layout randomization (ASLR) on devices to mitigate exploitation impact. Network-level controls should be used to restrict access to the LightDB State service to trusted servers and clients, minimizing exposure to malicious actors or man-in-the-middle attacks. Additionally, review and avoid using assert() for critical security checks in production firmware code; replace with explicit error handling and bounds checking. Monitor device logs and network traffic for anomalies indicating attempts to exploit this vulnerability. Finally, coordinate with Golioth support and firmware vendors to ensure timely patch deployment and vulnerability management.