Skip to main content

Golioth Pouch CVE-2026-23750

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-02-26 disclosure@vulncheck.com
7.2
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Adjacent BLE reach (AV:A) with no auth or interaction (PR:N/UI:N); unchecked memcpy yields high integrity and availability impact but no data disclosure (C:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jul 14, 2026 - 16:51 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 16:49 vuln.today
Analysis Updated
Jul 14, 2026 - 16:49 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 16:22 NVD
8.1 (HIGH) 7.2 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 26, 2026 - 18:23 nvd
HIGH 8.1

DescriptionCVE.org

Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

AnalysisAI

Heap-based buffer overflow in Golioth Pouch 0.1.0 (prior to commit 1b2219a1) lets an adjacent, unauthenticated BLE client corrupt device memory through the GATT server-certificate characteristic. The server_cert_write() handler sizes a heap buffer once on the first fragment but appends later fragments with memcpy() and no bounds check, so an oversized fragmented write overflows the allocation, crashing the device and potentially corrupting adjacent heap data. EPSS is negligible (0.01%, 3rd percentile) and there is no public exploit identified at time of analysis, but the flaw is remotely reachable within BLE range without credentials.

Technical ContextAI

Golioth Pouch is a firmware transport library (built on Zephyr's Bluetooth/BLE GATT stack) used by embedded IoT devices to provision and communicate with the Golioth cloud. The affected code path, src/transport/gatt/server_cert_characteristic.c, implements a GATT characteristic write handler for delivering a server certificate in multiple BLE fragments. On the first fragment it allocates a heap buffer of CONFIG_POUCH_SERVER_CERT_MAX_LEN, then for each subsequent fragment copies payload_len bytes with memcpy() into that buffer while advancing ctx->cert.size. Because no check confirms that ctx->cert.size + payload_len stays within CONFIG_POUCH_SERVER_CERT_MAX_LEN, the copy can write past the allocation. This is a classic CWE-122 heap-based buffer overflow caused by trusting attacker-supplied cumulative length across fragmented BLE writes.

Affected ProductsAI

Golioth Pouch version 0.1.0, specifically all revisions prior to fix commit 1b2219a1, in the BLE GATT server-certificate transport (src/transport/gatt/server_cert_characteristic.c). No CPE string was supplied in the intelligence set, so exact packaged/tagged version boundaries are not independently confirmed beyond the single 0.1.0 reference. Vendor and disclosure detail is available at the VulnCheck advisory (https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow), the Secmate disclosure (https://secmate.dev/disclosures/SECMATE-2025-0018 and https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/), and the upstream repository (https://github.com/golioth/pouch).

RemediationAI

Upstream fix available (PR/commit) - https://github.com/golioth/pouch/commit/1b2219a1 - but a released, tagged patched version is not independently confirmed from the provided data, so update to a build that includes commit 1b2219a1 or later, which adds the missing check that rejects writes where ctx->cert.size + payload_len exceeds CONFIG_POUCH_SERVER_CERT_MAX_LEN (returning BT_ATT_ERR_INVALID_ATTRIBUTE_LEN). Where firmware cannot be rebuilt immediately, reduce exposure by restricting BLE reachability: disable or gate the certificate-provisioning GATT service outside of active provisioning, require pairing/bonding before accepting writes to the certificate characteristic, and physically limit or shield devices so untrusted clients cannot approach within BLE radio range. Trade-offs: disabling or bonding-gating the characteristic can break legitimate over-BLE provisioning workflows, and range/physical controls do not help devices deployed in public or shared spaces. Consult the vendor advisory at https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow and Secmate SECMATE-2025-0018 for confirmation of a tagged release.

Share

CVE-2026-23750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy