CVE-2026-23748 is a medium severity integer underflow vulnerability (CWE-191) identified in the Golioth Firmware SDK, specifically in versions prior to 0.22.0, with version 0.10.0 explicitly affected. The vulnerability arises in the LightDB State string parsing functionality. When processing a string payload, if the payload_size is less than 2, a size_t underflow occurs during the calculation of the number of bytes to copy (nbytes). This underflow causes memcpy() to read beyond the bounds of the network buffer, resulting in an out-of-bounds read. The vulnerable code path is reachable from the on_payload handler, and the function golioth_payload_is_null() does not prevent payload_size values equal to 1, allowing the underflow condition to be triggered. The consequence of this out-of-bounds read is a device crash, effectively causing a denial of service (DoS). The flaw can be exploited remotely by a malicious server or a man-in-the-middle (MITM) attacker without requiring authentication or user interaction. The vulnerability was fixed in commit d7f55b38 after being reserved in January 2026 and published in February 2026. No public exploits are known at this time, but the vulnerability poses a risk to IoT devices using the affected SDK versions, potentially impacting device availability and reliability.

The primary impact of CVE-2026-23748 is denial of service due to device crashes caused by out-of-bounds memory reads. For organizations deploying IoT devices running the vulnerable Golioth Firmware SDK, this can lead to operational disruptions, loss of device availability, and potential cascading effects in critical infrastructure or industrial environments. Since the vulnerability can be triggered remotely without authentication, attackers controlling or intercepting network traffic can exploit this flaw to disrupt services. This may affect device fleets, causing downtime and increased maintenance costs. Although no direct data confidentiality or integrity compromise is indicated, the loss of availability can degrade trust in IoT deployments and impact business continuity, especially in sectors relying on real-time device telemetry and control.

To mitigate this vulnerability, organizations should upgrade all Golioth Firmware SDK instances to version 0.22.0 or later, where the issue is fixed. If immediate upgrade is not feasible, implement network-level protections such as strict filtering and validation of incoming payloads to ensure payload_size values are not less than 2, thereby preventing the underflow condition. Employ secure communication channels (e.g., TLS) to reduce the risk of man-in-the-middle attacks that could inject malicious payloads. Additionally, monitor device logs and network traffic for anomalous payloads or repeated crashes indicative of exploitation attempts. Incorporate robust input validation in custom firmware layers to reject malformed or suspicious payloads. Finally, maintain an incident response plan to quickly address device outages and coordinate with Golioth support for patches and advisories.