CVE-2026-23748 is a medium-severity integer underflow vulnerability (CWE-191) found in the Golioth Firmware SDK, specifically in versions prior to 0.22.0, including 0.10.0. The vulnerability occurs in the LightDB State string parsing logic, where the payload_size parameter is used to calculate the number of bytes to copy (nbytes) during a memcpy() operation. When payload_size is less than 2, the calculation of nbytes underflows due to size_t wrapping around, resulting in an out-of-bounds read past the end of the network buffer. This improper memory access can cause the device to crash, effectively leading to a denial of service. The vulnerable code path is reachable from the on_payload function, and the golioth_payload_is_null() check does not prevent payload_size values of 1, allowing the underflow condition to be triggered. An attacker controlling the server or positioned as a man-in-the-middle can exploit this vulnerability remotely without requiring authentication or user interaction. The flaw was fixed in commit d7f55b38, and users are advised to upgrade to version 0.22.0 or later. No public exploits have been reported to date, but the vulnerability poses a risk to devices running affected firmware versions that rely on LightDB State string parsing.

The primary impact of CVE-2026-23748 is a denial of service condition caused by device crashes due to out-of-bounds memory reads. For organizations deploying IoT devices or embedded systems using the Golioth Firmware SDK, this vulnerability can disrupt device availability and reliability. Since the flaw can be triggered remotely by a malicious server or MITM attacker without authentication, it poses a risk to the operational continuity of connected devices. This could lead to service interruptions, loss of telemetry data, and potential cascading failures in systems dependent on these devices. While the vulnerability does not directly lead to code execution or data confidentiality breaches, the resulting downtime can affect critical infrastructure, industrial control systems, or consumer IoT deployments. The lack of known exploits in the wild reduces immediate risk, but the ease of triggering the issue means attackers could weaponize it if they gain network access or control over communication channels.

To mitigate CVE-2026-23748, organizations should immediately upgrade all affected Golioth Firmware SDK instances to version 0.22.0 or later, where the vulnerability has been fixed. In environments where immediate patching is not feasible, network-level protections should be implemented to restrict access to device communication channels, especially from untrusted servers or networks susceptible to MITM attacks. Employing strong encryption and authentication mechanisms for device-server communication can reduce the risk of malicious payload injection. Additionally, monitoring device logs and network traffic for abnormal payload sizes or repeated crashes can help detect exploitation attempts. Firmware integrity verification and secure update mechanisms should be enforced to prevent rollback to vulnerable versions. Developers should also review payload parsing logic for similar integer underflow risks and apply defensive programming practices such as explicit bounds checking and safe memory operations.