Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:X
Lifecycle Timeline
3DescriptionCVE.org
An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.
AnalysisAI
Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.
Technical ContextAI
Semtech LoRa LR11xx transceivers (LR1110, LR1120, LR1121) are sub-GHz wireless transceiver chips used in IoT and LoRaWAN applications. The vulnerability resides in the firmware's memory write command handler accessible via the physical Serial Peripheral Interface (SPI) bus-the primary communication protocol between the transceiver and host microcontroller. The root cause is an improper access control flaw (CWE-123: Write-What-Where Condition) where the firmware fails to enforce write protection on the program call stack memory region. An attacker with direct physical access to the SPI interface can craft malformed memory write commands that bypass protection checks and overwrite stack data, enabling control flow hijacking. The device's secure boot mechanism and isolated cryptographic engine (referenced in the description) mitigate persistence and key extraction, limiting the attack window to the duration of physical access and the active session.
RemediationAI
Update affected Semtech LR11xx transceiver firmware to the patched version specified in Semtech security bulletin SEM-PSA-2026-001 (https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001). Exact patched firmware versions are not provided in the available data; consult the Semtech advisory for the correct target version for your device model and current firmware level. As an interim mitigation, restrict physical SPI interface access through mechanical tamper-evident enclosures, secure mounting in controlled-access facilities, or disabling SPI debug interfaces where permitted by application requirements. Monitor firmware update channels from Semtech and implement a rollout plan prioritizing devices in physically accessible or untrusted environments. Secure boot is already present and functional; verify it remains enabled in your deployment.
Cryptographic bypass in Semtech LR11xx LoRa transceiver secure boot allows physically proximate attackers to install arb
Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with
Same weakness CWE-123 – Write-what-where Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209282
GHSA-xjjj-2993-4g39