CVE-2026-47154 in EmberZNet
Summary
by MITRE • 06/25/2026
In EmberZNet v9.0.2 and earlier, a malformed GetProfileResponse message can trigger out-of-bounds reads while iterating interval entries and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Simple Metering cluster may be impacted.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability exists within EmberZNet v9.0.2 and earlier versions where a specially crafted malformed GetProfileResponse message can trigger out-of-bounds memory reads during the iteration of interval entries within the Simple Metering cluster implementation. This flaw represents a classic buffer overread condition that occurs when the system attempts to process malformed data structures without proper bounds checking mechanisms. The vulnerability specifically targets devices that have already established network membership, indicating that the attack vector requires prior network access and device authentication. According to CWE-129, this vulnerability falls under improper input validation where insufficient validation of array indices leads to memory access violations during processing of interval entries within the metering profile response.
The operational impact of this vulnerability manifests as process termination when malformed GetProfileResponse messages are received from authenticated network devices. The system's failure mode is characterized by abrupt process termination rather than graceful error handling, which could potentially disrupt network operations and device functionality. This behavior aligns with ATT&CK technique T1499.004 for network denial of service attacks where adversaries can cause system instability through malformed message processing. The vulnerability does not appear to result in information disclosure back to the sender, suggesting that while the process terminates, no sensitive data is exposed during the execution of the out-of-bounds read operations.
Devices supporting the Simple Metering cluster are specifically impacted by this vulnerability, indicating that only those implementing this particular Zigbee cluster specification are at risk. The restriction to devices with Simple Metering cluster support suggests a targeted attack surface where metering devices such as smart meters or energy monitoring systems could be compromised. Network attackers must first establish device membership within the network before being able to deliver the malformed message, which provides some inherent security controls but does not prevent all potential attack scenarios. The lack of information leakage back to the sender indicates that while process termination occurs, no sensitive data is directly accessible through this attack vector. Mitigation strategies should focus on implementing robust bounds checking for interval entry iteration and proper error handling during message processing to prevent out-of-bounds memory access conditions that could lead to process termination and potential denial of service scenarios within Zigbee network infrastructure.