Skip to main content

Lr1110 CVE-2025-14858

| EUVDEUVD-2025-209284 MEDIUM
Sensitive Information in Resource Not Removed Before Reuse (CWE-226)
2026-04-07 SWI GHSA-pq38-4mfg-vpxj
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2025-209284
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:57 nvd
MEDIUM 5.1

DescriptionCVE.org

The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.

AnalysisAI

Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.

Technical ContextAI

The Semtech LR11xx series are ultra-low-power LoRa transceivers that support encrypted firmware updates via the SPI (Serial Peripheral Interface) protocol. The vulnerability exists in the firmware validation subsystem, which implements block-by-block decryption of encrypted firmware packages to verify integrity before deployment. The root cause is improper resource cleanup (CWE-226: Sensitive Information in Memory) in the validation routine-specifically, failure to zeroize cryptographic buffers after the validation operation completes. When the host issues a firmware validity check command, the device decrypts firmware blocks sequentially but leaves the final decrypted block resident in memory. Subsequent SPI read commands can access this uncleared memory region, effectively leaking decrypted firmware contents and negating the protection provided by firmware encryption. Affected products include LR1110 (all versions per CPE cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*), LR1120, and LR1121 transceivers running early firmware revisions.

RemediationAI

Upgrade to patched firmware versions released by Semtech. The vendor's PSA-2026-001 security bulletin (https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001) provides specific firmware version numbers and distribution guidance. The fix involves clearing (zeroizing) decrypted firmware blocks from memory immediately after validation completes, preventing residual plaintext from being accessible via subsequent SPI reads. For organizations unable to immediately upgrade, implement additional physical security controls such as epoxy coating of SPI debug pins, tamper detection mechanisms, or secure enclosures that prevent unauthorized SPI interface access. Supply-chain integrity verification and device authentication checks should be prioritized for deployments in high-security contexts.

Share

CVE-2025-14858 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy