Skip to main content

Matter SDK CVE-2025-56362

| EUVDEUVD-2025-210469 HIGH
Reachable Assertion (CWE-617)
2026-07-14 cve@mitre.org GHSA-qj9w-vfqp-8pcv
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Sending MoveToLevel and attribute writes requires an authenticated Matter fabric session, so PR:L rather than PR:N; the deterministic two-step trigger gives AC:L, and impact is availability-only (A:H, C:N/I:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jul 15, 2026 - 15:27 vuln.today
CVSS changed
Jul 15, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
Jul 14, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)
CVE Published
Jul 14, 2026 - 23:17 cve.org
HIGH 7.5

DescriptionCVE.org

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.2, specifically within the Level Control cluster's periodic server tick logic. When a MoveToLevel command is sent and immediately followed by a write of OperationMode=2 (in the Pump Configuration and Control cluster), the server tick function violates the assertion currentLevel < maxLevel, resulting in a crash. This can be exploited remotely without authentication to cause denial of service. Affected versions include 1.3 and 1.4 (commit ab3d5ae).

AnalysisAI

Remotely triggerable denial of service in the Matter SDK (connectedhomeip) before 1.4.2 lets an attacker crash devices by driving the Level Control cluster's periodic server tick into a failed assertion (currentLevel < maxLevel). Sending a MoveToLevel command and immediately writing OperationMode=2 in the Pump Configuration and Control cluster produces an inconsistent internal state that aborts the process. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; CVSS is 7.5 with availability-only impact.

Technical ContextAI

The affected component is the Matter (formerly Project CHIP / connectedhomeip) reference SDK, the cross-vendor implementation underlying most Matter-certified smart-home devices. The bug lives in the Level Control cluster's periodic server tick, which advances a device's brightness/level state over time; the Pump Configuration and Control cluster's OperationMode attribute feeds into the min/max bounds used by that logic. Writing OperationMode=2 concurrently with an in-flight MoveToLevel operation leaves currentLevel above the effective maxLevel, so the tick handler's C-style assertion currentLevel < maxLevel fails. This is a classic CWE-617 Reachable Assertion: attacker-influenced input reaches an assert() that aborts the program instead of handling the error state gracefully.

RemediationAI

Vendor-released patch: 1.4.2 - upgrade the embedded Matter SDK to 1.4.2 or later and rebuild/reflash affected device firmware, tracking status via https://github.com/project-chip/connectedhomeip/issues/38618. Because most impact reaches shipped devices through downstream firmware, downstream OEMs must pull the fixed SDK and issue OTA updates; end users cannot patch the library directly. Where immediate patching is impossible, reduce exposure by restricting which fabrics and controllers can reach affected devices (avoid multi-admin commissioning of untrusted controllers), and by not exposing the Pump Configuration and Control cluster on devices that do not genuinely need it, since the OperationMode write is a required trigger - note this removes legitimate pump-mode functionality. Segmenting the smart-home VLAN limits which hosts can open Matter sessions, at the cost of added deployment complexity.

Share

CVE-2025-56362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy