CVE-2026-23749 in Firmware SDK
Summary
by MITRE • 02/26/2026
Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this buffer (in golioth_coap_client_get_internal()) can read past the end of the allocation, resulting in a crash/denial of service. The input is application-controlled (not network by default).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/26/2026
The vulnerability described in CVE-2026-23749 represents a critical out-of-bounds read condition within the Golioth Firmware SDK version 0.19.1 through 0.21.0, specifically affecting the blockwise transfer functionality. This issue arises from improper null termination handling during path initialization, creating a scenario where memory access violations can occur. The flaw exists in the blockwise_transfer_init() function which processes application-controlled input paths, making it particularly dangerous as it can be exploited through user-provided data rather than network traffic alone.
The technical root cause stems from the function's use of strncpy() to copy path data without ensuring proper null termination of the destination buffer. When CONFIG_GOLIOTH_COAP_MAX_PATH_LEN characters are copied into ctx->path, there is no guarantee that a null byte will be appended, leaving the buffer unterminated. This condition creates a dangerous scenario where subsequent operations that rely on string length calculations, particularly strlen() calls in golioth_coap_client_get_internal(), can traverse beyond the allocated memory boundaries. The vulnerability manifests as an out-of-bounds read that can lead to system crashes or denial of service conditions, with the severity amplified by the fact that the input originates from application-controlled sources rather than network packets.
The operational impact of this vulnerability extends beyond simple system instability, as it can be leveraged to cause persistent denial of service conditions within IoT devices that rely on the Golioth Firmware SDK for communication with cloud services. Devices using affected versions may experience unexpected restarts or complete loss of connectivity to the Golioth platform, potentially compromising critical IoT infrastructure. The vulnerability's exploitation requires an attacker to provide a specially crafted path string that exactly matches the maximum path length, making it a sophisticated but achievable attack vector for determined adversaries. This flaw directly maps to CWE-121, which describes heap-based buffer overflow conditions, and aligns with ATT&CK technique T1499.004 for network denial of service attacks.
Mitigation strategies for this vulnerability require immediate patching to version 0.22.0 or later, where the issue has been addressed through proper null termination of the path buffer. Organizations should implement comprehensive testing procedures to verify that all affected devices have been updated and monitor for potential exploitation attempts. Additional defensive measures include input validation at multiple layers, implementing memory safety checks, and establishing robust monitoring for unusual patterns of device failures or connectivity loss. The fix implemented in commit 0e788217 demonstrates proper handling of string operations by ensuring null termination occurs regardless of input length, addressing the fundamental flaw in the buffer management approach that allowed this vulnerability to persist.