Skip to main content

Matter SDK CVE-2025-56364

| EUVDEUVD-2025-210471 HIGH
Use of Uninitialized Variable (CWE-457)
2026-07-14 cve@mitre.org GHSA-3xhc-5w7c-ppw7
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated, low-complexity malformed groupcast packet crashes the process (A:H) with no confidentiality or integrity impact; network vector though realistically link-local.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 15, 2026 - 15:28 vuln.today
Analysis Generated
Jul 15, 2026 - 15:28 vuln.today
CVSS changed
Jul 15, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
Jul 14, 2026 - 23:17 cve.org
HIGH 7.5
CVE Published
Jul 14, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A use of uninitialized value vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, where the GetDestinationGroupId().Value() method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID. The issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access.

AnalysisAI

Denial of service in the Matter SDK (connectedhomeip) before version 1.4.0 allows remote attackers to crash a Matter device or controller by sending a groupcast InvokeCommand message without an initialized destination group ID. The ExchangeManager reads the optional GroupId via GetDestinationGroupId().Value() without a HasValue() guard (CWE-457), triggering a SIGABRT abort. An upstream fix exists (commit 0360cc3, PR #36729), and no public exploit has been identified at time of analysis; this is a network-reachable, unauthenticated availability issue with no confidentiality or integrity impact.

Technical ContextAI

The affected component is Project CHIP / connectedhomeip, the reference SDK implementing the Matter smart-home interoperability standard used across IoT ecosystems (Apple Home, Google Home, Amazon Alexa, Samsung SmartThings). The defect lives in src/messaging/ExchangeMgr.cpp within ExchangeManager::OnMessageReceived, which handles incoming groupcast (multicast) messages. Matter packet headers carry the destination group ID as an Optional<GroupId> type; the vulnerable code logs the value by calling GetDestinationGroupId().Value() directly. Per CWE-457 (Use of Uninitialized Value), dereferencing an Optional that holds no value on a Matter Optional/CHIP type triggers a VerifyOrDie-style assertion, aborting the process. The root cause is the missing precondition check that the diff remedies by wrapping the access in an if (…HasValue()) branch, with an else path that logs 'Received Groupcast Message without GroupId'.

RemediationAI

Upgrade to Matter SDK connectedhomeip 1.4.0 or later, which includes fix commit 0360cc3 that adds the GetDestinationGroupId().HasValue() guard before accessing the optional group ID (upstream fix available via PR #36729 - https://github.com/project-chip/connectedhomeip/pull/36729; the released 1.4.0 tag is the recommended patched baseline). Device and controller vendors who vendor the SDK should rebuild firmware against the patched source and ship updated images. Where immediate upgrade is not feasible, apply the single-diff patch from PR #36729 to src/messaging/ExchangeMgr.cpp as a hotfix, or as a compensating control restrict exposure of the Matter fabric to trusted network segments only - segment the IoT VLAN/Thread network and block untrusted hosts from sending groupcast/multicast traffic to Matter nodes; the trade-off is that legitimate multi-admin or cross-ecosystem group control may be constrained. Monitoring for repeated unexpected process aborts (SIGABRT) on Matter nodes can serve as a detection stopgap.

Share

CVE-2025-56364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy