Skip to main content

Matter SDK CVE-2025-56361

| EUVDEUVD-2025-210468 HIGH
Reachable Assertion (CWE-617)
2026-07-14 cve@mitre.org GHSA-f6px-4w9c-rj4f
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remotely reachable assertion with no auth or interaction asserted (AV:N/AC:L/PR:N/UI:N) and pure crash/DoS impact, so C:N/I:N/A:H; retained AC:L per source despite the two-cluster prerequisite.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 15, 2026 - 15:27 vuln.today
CVSS changed
Jul 15, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
Jul 14, 2026 - 22:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 14, 2026 - 22:16 cve.org
HIGH 7.5

DescriptionCVE.org

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) 1.3 thru 1.4, specifically within the Level Control cluster's server tick logic (emberAfLevelControlClusterServerTickCallback). When a MoveToLevel command is executed and followed by a conflicting write to the OperationMode attribute (in the Pump Configuration and Control cluster), an invariant check (minLevel < currentLevel) fails and causes the device to abort. This leads to a denial of service condition. The issue is confirmed in SDK versions 1.3 and 1.4 (commit ab3d5ae), and is triggered remotely without authentication.

AnalysisAI

Remote denial of service in the Matter SDK (connectedhomeip) versions 1.3 through 1.4 lets unauthenticated attackers crash smart-home devices by racing a Level Control MoveToLevel command against a conflicting write to the Pump Configuration and Control cluster's OperationMode attribute, tripping a reachable assertion (minLevel < currentLevel) in the server tick callback. The abort forces the device to restart or hang, disrupting any product built on the affected SDK. No public exploit identified at time of analysis, and the issue is tracked via project-chip GitHub issue #38619 with no vendor-released patch identified.

Technical ContextAI

The Matter (formerly Project CHIP / connectedhomeip) SDK is the open-source reference implementation of the Matter smart-home interoperability standard used across many vendors' IoT devices. The flaw sits in the Level Control cluster server tick handler (emberAfLevelControlClusterServerTickCallback), which drives gradual attribute transitions such as dimming. When a MoveToLevel transition is in flight and the OperationMode attribute in the Pump Configuration and Control cluster is written to a conflicting value, the level-clamping bounds are altered so that the internal invariant minLevel < currentLevel no longer holds. This is a textbook CWE-617 Reachable Assertion: an assertion meant to catch impossible states is reachable through externally controlled input, and its failure aborts the process rather than degrading gracefully.

RemediationAI

No vendor-released patch identified at time of analysis; the issue is tracked in upstream GitHub issue https://github.com/project-chip/connectedhomeip/issues/38619 and no tagged fixed release is confirmed in the provided data, so upgrade to a patched SDK build once project-chip publishes one and rebuild affected device firmware. Until a fix ships, restrict Matter fabric access so only trusted commissioned controllers can send Level Control and Pump Configuration and Control commands, since Matter operational access normally requires prior commissioning - tightening commissioning and segmenting the IoT VLAN limits which nodes can reach the vulnerable endpoint. Where the device role permits, avoid exposing or disable the Pump Configuration and Control cluster on non-pump devices to remove the conflicting OperationMode write path, accepting the trade-off that legitimate pump-control functionality would be lost. Monitor affected devices for unexpected aborts or reboots as a detection measure. Do not apply invented version numbers - confirm the exact fixed commit or release directly from the project-chip repository before deployment.

Share

CVE-2025-56361 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy