Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker must be a joined Zigbee node (PR:L) reaching the target over the network (AV:N) with no interaction; crafted frame trivially triggers a crash (AC:L) causing availability-only loss (A:H).
Primary rating from Vendor (Silabs).
CVSS VectorVendor: Silabs
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
In EmberZNet v9.0.2 and earlier, malformed Color Control messages can lead to asserts that terminate the process. These messages must come from a device that has already joined the network. Only devices supporting the Color Control cluster may be impacted.
AnalysisAI
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash the target by sending malformed Color Control cluster messages, which trigger a reachable assertion that terminates the process. Only devices implementing the Color Control cluster (typically Zigbee lighting/color-capable nodes and coordinators) are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker's device has already joined the same Zigbee network as the target (PR:L - the join/commissioning step is a hard prerequisite, not optional), and the target must implement and expose the Color Control cluster, so non-lighting/non-color-capable EmberZNet devices are not impacted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) with VA:H and VC:N/VI:N/SI:N confirms this is a pure availability/denial-of-service issue, not code execution or data exposure - note this contradicts the 'Information Disclosure' tag in the input, and the CVSS metrics (no confidentiality/integrity impact) should be trusted over that tag, which appears mislabeled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or compromises a device already commissioned onto the Zigbee network sends a crafted, malformed Color Control command to a color-capable target running vulnerable EmberZNet. The malformed frame trips a reachable assertion in the stack, terminating the process and knocking the device offline until it restarts, and the attack can be repeated to cause sustained outage. … |
| Remediation | Patch available per vendor advisory: upgrade EmberZNet beyond v9.0.2 to the fixed release distributed through the Silicon Labs SiSDK (https://github.com/SiliconLabsSoftware/sisdk-release/) and follow the advisory at https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000pEGPQIA4; an exact patched version number is not stated in the provided data, so confirm the target release with Silicon Labs. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Silicon Labs EmberZNet deployments, prioritizing devices implementing Color Control cluster (lighting nodes, coordinators). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Re
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silicon Labs Ember ZNet allows
A malformed packet causes a stack overflow in the Ember ZNet stack. Rated high severity (CVSS 7.5), this vulnerability i
Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network devi
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigb
Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to
Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network
Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network d
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to
Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras
Same weakness CWE-617 – Reachable Assertion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39399
GHSA-j947-x436-34ff