CVE-2026-47149 in EmberZNet
Summary
by MITRE • 06/25/2026
In EmberZNet v9.0.2 and earlier, malformed or out-of-range Door Lock user identifiers can trigger out-of-bounds table reads and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Door Lock cluster may be impacted.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability described in this CVE affects EmberZNet v9.0.2 and earlier versions, specifically targeting devices implementing the Door Lock cluster within Zigbee networks. This represents a classic buffer over-read condition that occurs when processing malformed or out-of-range user identifiers within door lock systems. The flaw stems from inadequate input validation mechanisms within the Door Lock cluster implementation, where the system fails to properly sanitize user identifier values before attempting table lookups. When an authenticated device within the network sends a specially crafted message containing invalid user identifier data, the system attempts to access memory locations beyond the allocated bounds of its internal user tables, resulting in process termination. This vulnerability operates under the principle that only devices already joined to the network can exploit it, indicating that the attack vector requires prior network authentication and that the malicious actor must first establish a legitimate presence within the Zigbee mesh. The absence of information leakage back to the sender suggests that while the system crashes, there is no direct data exfiltration capability through this specific vulnerability path.
The technical implementation flaw manifests as an out-of-bounds memory access pattern that directly maps to CWE-125: "Out-of-Bounds Read" and potentially CWE-787: "Out-of-Bounds Write" if the system's error handling creates write operations beyond allocated memory regions. This type of vulnerability falls under the broader category of memory safety issues commonly found in embedded systems and IoT devices where resource constraints often lead to insufficient bounds checking mechanisms. The operational impact of this vulnerability extends beyond simple service disruption as it can effectively create a denial-of-service condition for legitimate door lock operations, potentially leaving users unable to access secured areas during critical moments. From an attack perspective, this vulnerability aligns with ATT&CK technique T1499.004: "Endpoint Denial of Service" and could be leveraged as part of broader network disruption campaigns against IoT infrastructure.
The mitigation strategy for this vulnerability requires immediate firmware updates to EmberZNet versions that address the input validation gaps in the Door Lock cluster implementation. Network administrators should ensure all devices supporting the Door Lock cluster are updated to patched versions that properly validate user identifier ranges before table access operations. Additionally, implementing network monitoring to detect anomalous Door Lock cluster messages could serve as an early warning system for potential exploitation attempts. The vulnerability demonstrates the critical importance of input validation in embedded systems where a single malformed parameter can lead to complete system termination. Organizations should also consider implementing network segmentation strategies that limit the impact of such vulnerabilities within their overall security architecture, ensuring that compromise of one device does not immediately translate to broader network access or operational disruption.