CVE-2026-23749 is a vulnerability identified in the Golioth Firmware SDK, specifically in versions prior to 0.22.0, with version 0.19.1 explicitly affected. The root cause is an improper null termination (CWE-170) in the blockwise_transfer_init() function, which handles blockwise transfer paths. This function accepts a path string whose length can be equal to CONFIG_GOLITH_COAP_MAX_PATH_LEN and copies it using strncpy() without explicitly appending a null terminator. As a result, the ctx->path buffer remains unterminated. Later, when golioth_coap_client_get_internal() calls strlen() on this buffer, it reads beyond the allocated memory boundary, causing an out-of-bounds read. This memory access violation leads to a crash, resulting in denial of service. The vulnerability is triggered by application-controlled input, not by network input by default, which limits remote exploitation. The flaw does not allow privilege escalation, code execution, or data leakage, but it can cause the firmware to crash, impacting device availability. The issue was fixed in commit 0e788217 by ensuring proper null termination of the path buffer. The CVSS 4.0 base score is 2.1, reflecting low severity due to local attack vector, no privileges required, no user interaction, and limited impact confined to availability. No known exploits have been reported in the wild. This vulnerability affects embedded IoT devices using the Golioth Firmware SDK, which is used for managing IoT device firmware and communication.

The primary impact of CVE-2026-23749 is denial of service caused by application crashes due to out-of-bounds reads. Devices running vulnerable versions of the Golioth Firmware SDK may experience unexpected reboots or service interruptions when processing specially crafted application inputs that trigger the improper null termination. This can degrade device reliability and availability, potentially disrupting IoT deployments that rely on continuous operation. Since the vulnerability requires application-level input and is not exploitable remotely by default, the risk of widespread automated attacks is low. However, in environments where attackers or malicious insiders have local access or control over application inputs, this vulnerability could be leveraged to cause targeted disruptions. The impact on confidentiality and integrity is negligible, as the flaw does not permit code execution or data corruption. Organizations deploying IoT devices with this SDK in critical infrastructure or industrial settings may face operational risks if devices become unresponsive. The limited scope and low severity reduce the urgency but do not eliminate the need for remediation.

To mitigate CVE-2026-23749, organizations should upgrade all affected Golioth Firmware SDK instances to version 0.22.0 or later, where the vulnerability is fixed by ensuring proper null termination of the path buffer. Until upgrades can be applied, developers should audit application code that interacts with blockwise_transfer_init() to ensure input path lengths are strictly less than CONFIG_GOLIOTH_COAP_MAX_PATH_LEN, preventing boundary conditions that cause unterminated strings. Implement rigorous input validation and sanitization on application-controlled inputs to block malformed or maximum-length path strings. Employ runtime memory safety tools or fuzz testing during development to detect similar out-of-bounds conditions. For deployed devices, monitor logs and device health metrics for signs of crashes or reboots that may indicate exploitation attempts. Restrict local access to devices and application interfaces to trusted personnel to reduce the risk of malicious input injection. Finally, maintain an inventory of devices using the vulnerable SDK versions to prioritize patching efforts.