CVE-2026-23748: CWE-191 Integer Underflow (Wrap or Wraparound) in Golioth Firmware SDK
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service.
AI Analysis
Technical Summary
The vulnerability in Golioth Firmware SDK (versions 0.10.0 up to but not including 0.22.0) involves an integer underflow (CWE-191) during LightDB State string payload processing. When the payload_size value is less than 2, the calculation for the number of bytes to copy (nbytes) underflows, causing memcpy to read beyond the network buffer boundary. This out-of-bounds read can crash the device, enabling denial of service. The issue is reachable from the on_payload function, and the existing check golioth_payload_is_null() does not prevent payload_size==1 from triggering the flaw. Exploitation requires network access and can be performed by a malicious server or man-in-the-middle attacker. The vulnerability is tracked as CVE-2026-23748 with a CVSS 4.0 score of 6.3 (medium severity). The vendor fixed the issue in commit d7f55b38, but no official patch link is provided in the input data.
Potential Impact
Successful exploitation causes a denial of service by crashing the device due to an out-of-bounds read triggered by an integer underflow in payload processing. There is no indication of code execution or data disclosure. The attack vector is network-based and does not require privileges or user interaction.
Mitigation Recommendations
A fix is available in Golioth Firmware SDK starting from version 0.22.0 as indicated by the commit d7f55b38. Users should upgrade to this or later versions to remediate the vulnerability. Since this is not a cloud service, patching the firmware SDK in affected devices is necessary. Patch status is not explicitly confirmed beyond the commit reference; users should consult the vendor advisory or repository for official patch releases and instructions.
CVE-2026-23748: CWE-191 Integer Underflow (Wrap or Wraparound) in Golioth Firmware SDK
Description
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit d7f55b38, contain an out-of-bounds read in LightDB State string parsing. When processing a string payload, a payload_size value less than 2 can cause a size_t underflow when computing the number of bytes to copy (nbytes). The subsequent memcpy() reads past the end of the network buffer, which can crash the device. The condition is reachable from on_payload, and golioth_payload_is_null() does not block payload_size==1. A malicious server or MITM can trigger a denial of service.
CVSS v4.0
Score 6.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Golioth Firmware SDK (versions 0.10.0 up to but not including 0.22.0) involves an integer underflow (CWE-191) during LightDB State string payload processing. When the payload_size value is less than 2, the calculation for the number of bytes to copy (nbytes) underflows, causing memcpy to read beyond the network buffer boundary. This out-of-bounds read can crash the device, enabling denial of service. The issue is reachable from the on_payload function, and the existing check golioth_payload_is_null() does not prevent payload_size==1 from triggering the flaw. Exploitation requires network access and can be performed by a malicious server or man-in-the-middle attacker. The vulnerability is tracked as CVE-2026-23748 with a CVSS 4.0 score of 6.3 (medium severity). The vendor fixed the issue in commit d7f55b38, but no official patch link is provided in the input data.
Potential Impact
Successful exploitation causes a denial of service by crashing the device due to an out-of-bounds read triggered by an integer underflow in payload processing. There is no indication of code execution or data disclosure. The attack vector is network-based and does not require privileges or user interaction.
Mitigation Recommendations
A fix is available in Golioth Firmware SDK starting from version 0.22.0 as indicated by the commit d7f55b38. Users should upgrade to this or later versions to remediate the vulnerability. Since this is not a cloud service, patching the firmware SDK in affected devices is necessary. Patch status is not explicitly confirmed beyond the commit reference; users should consult the vendor advisory or repository for official patch releases and instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-15T18:42:20.937Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a0a1ca85912abc71d0bb48
Added to database: 2/26/2026, 7:40:58 PM
Last enriched: 5/26/2026, 8:20:44 PM
Last updated: 5/29/2026, 10:32:24 AM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.