CVE-2026-23750 is a heap-based buffer overflow vulnerability identified in Golioth Pouch version 0.1.0, specifically within the BLE GATT server certificate handling code. The vulnerable function, server_cert_write(), initially allocates a heap buffer sized according to CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment of a server certificate. However, when subsequent fragments arrive, the function appends them using memcpy() without verifying that the buffer has sufficient remaining capacity. This lack of bounds checking allows an adjacent BLE client to send unauthenticated certificate fragments whose combined size exceeds the allocated buffer, resulting in a heap overflow. The overflow can cause the application to crash, leading to denial of service, and may also corrupt memory, potentially impacting the integrity of the device's operation. The vulnerability does not require any authentication or user interaction but does require physical proximity to the BLE device to send malicious fragments. The CVSS 4.0 vector indicates the attack is network-based (adjacent), with low complexity, no privileges or user interaction required, and high impact on integrity and availability. No patches or known exploits are currently reported, but the issue is publicly disclosed and should be addressed promptly. This vulnerability affects IoT devices using Golioth Pouch 0.1.0 for BLE communications, particularly those relying on BLE GATT server certificates for secure communication.

The primary impact of this vulnerability is denial of service due to application crashes caused by heap overflow, which can disrupt device availability. Additionally, memory corruption from the overflow could lead to integrity violations, potentially allowing an attacker to manipulate device behavior or compromise sensitive data handled by the BLE GATT server. Since the attack requires no authentication and no user interaction, any attacker within BLE range can exploit this vulnerability, increasing the risk in environments with physical proximity to devices. Organizations deploying Golioth Pouch in IoT devices, especially in critical infrastructure, industrial control systems, or consumer electronics, face risks of service disruption and potential compromise of device integrity. This could lead to operational downtime, loss of trust, and increased attack surface for further exploitation. The lack of known exploits currently limits immediate widespread impact, but the vulnerability's disclosure means attackers could develop exploits, increasing future risk.

To mitigate this vulnerability, organizations should first upgrade Golioth Pouch to a version that includes a fix for CVE-2026-23750 once available. In the absence of an official patch, developers should implement strict bounds checking before appending certificate fragments to ensure the buffer is not overflowed. Specifically, modify server_cert_write() to verify that the total size of received fragments does not exceed CONFIG_POUCH_SERVER_CERT_MAX_LEN before performing memcpy operations. Additionally, consider implementing BLE-level access controls or whitelisting to restrict which devices can send certificate fragments, reducing exposure to unauthenticated attackers. Employ runtime protections such as heap canaries and memory-safe programming practices to detect and prevent exploitation. Monitoring BLE traffic for abnormal fragment sizes or patterns can help detect attempted exploitation. Finally, physically securing BLE devices to limit attacker proximity and educating users about the risks of unauthorized BLE connections can reduce attack likelihood.