CVE-2026-23749 is a vulnerability identified in the Golioth Firmware SDK, specifically affecting versions prior to 0.22.0, including version 0.19.1. The root cause is an improper null termination (CWE-170) in the blockwise transfer path buffer. The function blockwise_transfer_init() accepts a path string whose length can be equal to CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing null byte. This results in the ctx->path buffer being unterminated. Later, when golioth_coap_client_get_internal() calls strlen() on this buffer, it can read beyond the allocated memory boundary, causing an out-of-bounds read. This memory mismanagement leads to a crash or denial of service (DoS) condition. The input that triggers this vulnerability is application-controlled, meaning it requires control over the input passed to the SDK functions, and is not exploitable via network vectors by default. The vulnerability has a CVSS 4.0 score of 2.1, indicating low severity due to limited impact and exploitation complexity. No known exploits have been reported in the wild. The issue was fixed in commit 0e788217 in version 0.22.0 of the SDK. This vulnerability primarily affects embedded IoT devices using the Golioth Firmware SDK, which is designed for constrained devices communicating over CoAP. The improper null termination can cause stability issues and potential service interruptions in IoT deployments.

The primary impact of CVE-2026-23749 is a denial of service caused by a crash due to out-of-bounds memory reads. For organizations deploying IoT devices with the affected Golioth Firmware SDK versions, this can lead to device instability, unexpected reboots, or service interruptions. While the vulnerability does not allow for remote code execution or privilege escalation, the denial of service can disrupt critical IoT operations, especially in environments relying on continuous device availability such as industrial automation, smart cities, or healthcare monitoring. Since exploitation requires application-level input control and is not network-exploitable by default, the risk of widespread remote attacks is limited. However, insider threats or compromised applications could trigger the vulnerability. The impact is thus mostly on availability and operational continuity rather than confidentiality or integrity. Organizations with large-scale IoT deployments using this SDK may face increased maintenance costs and potential downtime if unpatched devices encounter this issue.

To mitigate CVE-2026-23749, organizations should upgrade all affected Golioth Firmware SDK instances to version 0.22.0 or later, where the improper null termination issue is corrected. Developers should audit their usage of blockwise_transfer_init() to ensure that input path lengths do not exceed safe limits and that strings are properly null-terminated before use. Implementing input validation at the application layer to restrict path lengths can reduce risk. Additionally, incorporating runtime memory safety checks or fuzz testing during development can help detect similar issues early. For deployed devices where immediate upgrade is not feasible, monitoring for abnormal crashes or service interruptions can provide early warning signs. Employing secure coding practices and static analysis tools to detect improper string handling is recommended. Finally, restricting application-level input sources and enforcing strict input sanitization can further reduce exploitation likelihood.