Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remotely reachable assertion with no auth or interaction asserted (AV:N/AC:L/PR:N/UI:N) and pure crash/DoS impact, so C:N/I:N/A:H; retained AC:L per source despite the two-cluster prerequisite.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) 1.3 thru 1.4, specifically within the Level Control cluster's server tick logic (emberAfLevelControlClusterServerTickCallback). When a MoveToLevel command is executed and followed by a conflicting write to the OperationMode attribute (in the Pump Configuration and Control cluster), an invariant check (minLevel < currentLevel) fails and causes the device to abort. This leads to a denial of service condition. The issue is confirmed in SDK versions 1.3 and 1.4 (commit ab3d5ae), and is triggered remotely without authentication.
AnalysisAI
Remote denial of service in the Matter SDK (connectedhomeip) versions 1.3 through 1.4 lets unauthenticated attackers crash smart-home devices by racing a Level Control MoveToLevel command against a conflicting write to the Pump Configuration and Control cluster's OperationMode attribute, tripping a reachable assertion (minLevel < currentLevel) in the server tick callback. The abort forces the device to restart or hang, disrupting any product built on the affected SDK. No public exploit identified at time of analysis, and the issue is tracked via project-chip GitHub issue #38619 with no vendor-released patch identified.
Technical ContextAI
The Matter (formerly Project CHIP / connectedhomeip) SDK is the open-source reference implementation of the Matter smart-home interoperability standard used across many vendors' IoT devices. The flaw sits in the Level Control cluster server tick handler (emberAfLevelControlClusterServerTickCallback), which drives gradual attribute transitions such as dimming. When a MoveToLevel transition is in flight and the OperationMode attribute in the Pump Configuration and Control cluster is written to a conflicting value, the level-clamping bounds are altered so that the internal invariant minLevel < currentLevel no longer holds. This is a textbook CWE-617 Reachable Assertion: an assertion meant to catch impossible states is reachable through externally controlled input, and its failure aborts the process rather than degrading gracefully.
RemediationAI
No vendor-released patch identified at time of analysis; the issue is tracked in upstream GitHub issue https://github.com/project-chip/connectedhomeip/issues/38619 and no tagged fixed release is confirmed in the provided data, so upgrade to a patched SDK build once project-chip publishes one and rebuild affected device firmware. Until a fix ships, restrict Matter fabric access so only trusted commissioned controllers can send Level Control and Pump Configuration and Control commands, since Matter operational access normally requires prior commissioning - tightening commissioning and segmenting the IoT VLAN limits which nodes can reach the vulnerable endpoint. Where the device role permits, avoid exposing or disable the Pump Configuration and Control cluster on non-pump devices to remove the conflicting OperationMode write path, accepting the trade-off that legitimate pump-control functionality would be lost. Monitor affected devices for unexpected aborts or reboots as a detection measure. Do not apply invented version numbers - confirm the exact fixed commit or release directly from the project-chip repository before deployment.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210468
GHSA-f6px-4w9c-rj4f