Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote unauthenticated crafted read triggers a crash with no auth or interaction (AV:N/AC:L/PR:N/UI:N), and impact is availability-only, so C:N/I:N/A:H.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A null pointer dereference vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, affecting the ReadRevisionAttribute function used in multiple clusters (Channel, Account Login, TargetNavigator, etc.). The function lacks proper validation of the delegate pointer before dereferencing. A remote unauthenticated attacker can exploit this issue by sending a crafted read request, causing the device to crash (denial of service). This issue has been confirmed in SDK version v1.4 (commit ab3d5ae).
AnalysisAI
Denial of service in the Matter SDK (connectedhomeip) before 1.4.0 lets a remote unauthenticated attacker crash a smart-home device by sending a crafted read request. The flaw lives in the ReadRevisionAttribute function, which is reused across multiple clusters (Channel, Account Login, TargetNavigator), so any device exposing those clusters is affected. No public exploit identified at time of analysis, and the issue is availability-only (no code execution or data exposure).
Technical ContextAI
Matter (formerly Project CHIP, connectedhomeip) is the open, IP-based smart-home interoperability standard governed by the Connectivity Standards Alliance; its C++ reference SDK is embedded in countless commercial IoT products. The vulnerability is CWE-476 (NULL Pointer Dereference): the shared ReadRevisionAttribute helper dereferences a cluster 'delegate' pointer without first checking that it is non-null. When a read is issued for a cluster's revision attribute in a code path where the delegate was never registered or initialized, the dereference of the null pointer faults and terminates the device firmware. Because ReadRevisionAttribute is a common utility invoked by several application clusters, the single root-cause bug has a broad blast radius across the SDK's cluster implementations.
RemediationAI
Upgrade the embedded Matter SDK to connectedhomeip version 1.4.0 or later, which contains the delegate null-check fix, and rebuild/re-flash affected device firmware; downstream device owners should apply vendor firmware updates that incorporate the 1.4.0 SDK. Track upstream discussion at https://github.com/project-chip/connectedhomeip/issues/39173 to confirm the patched build. Where firmware cannot be updated immediately, reduce exposure by isolating Matter devices on a segmented IoT VLAN and restricting which controllers/nodes can send Interaction Model read requests to the affected clusters, so untrusted local hosts cannot reach the vulnerable read path - note this does not fix the bug and can interfere with legitimate multi-admin/commissioning flows. Disabling or not exposing the affected media clusters (Channel, Account Login, TargetNavigator) on devices that do not need them also removes the vulnerable attack surface, at the cost of losing that cluster's functionality. Reference the NVD advisory at https://nvd.nist.gov/vuln/detail/CVE-2025-56363 .
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210470
GHSA-mv6q-v23c-9757