Skip to main content

EmberZNet CVE-2026-47147

| EUVDEUVD-2026-39401 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 Silabs GHSA-522j-298p-h26w
7.1
CVSS 4.0 · Vendor: Silabs
Share

Severity by source

Vendor (Silabs) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Reachable over the Zigbee radio (AV:N) but only by a joined device (PR:L); bounded RAM disclosure gives C:L, while parser disruption of the OTA server yields A:H, with no integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Silabs).

CVSS VectorVendor: Silabs

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:30 vuln.today

DescriptionCVE.org

In EmberZNet v9.0.2 and earlier, malformed OTA requests can drive the OTA server parser into out-of-bounds reads. A limited amount of data from RAM is read back to the requester. The size and location of this data is limited. These requests must come from a device that has already joined the network. Only devices supporting the OTA Server cluster may be impacted.

AnalysisAI

Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device send malformed Over-The-Air (OTA) update requests that drive the OTA Server cluster parser past buffer boundaries, leaking a small, size- and location-limited amount of RAM back to the requester and potentially disrupting the OTA service. Only nodes that implement the OTA Server cluster are affected, and exploitation requires prior network membership (PR:L authenticated). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join or compromise a node on the Zigbee network
Delivery
Target a device running the OTA Server cluster
Exploit
Send malformed OTA upgrade requests
Execution
Trigger out-of-bounds read in OTA parser
Impact
Receive bounded RAM data and/or disrupt OTA service

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target device to implement and expose the Zigbee OTA Server cluster - client-only and non-OTA devices are not affected; and (2) the attacker to send the malformed OTA requests from a device that has already joined the same Zigbee network (PR:L authenticated network member), so an un-commissioned outsider cannot directly trigger it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The available signals are moderate and broadly consistent rather than conflicting. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already commissioned or compromised a node on the target Zigbee network sends crafted, malformed OTA upgrade requests to a gateway acting as an OTA server. The bounded out-of-bounds read returns small fragments of the server's RAM to the attacker and/or destabilizes the OTA service. …
Remediation Upgrade EmberZNet to the Silicon Labs-released build that supersedes 9.0.2 (patch available per vendor advisory; the exact fixed version is not stated in the provided data - confirm the target build via the Silicon Labs advisory at https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000pEGPQIA4?operationContext=S1, pull the corrected SiSDK from https://github.com/SiliconLabsSoftware/sisdk-release/, then rebuild and reflash affected coordinator/gateway firmware). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all deployed EmberZNet implementations and identify systems running v9.0.2 or earlier with OTA Server cluster enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-41094 CRITICAL
9.8 Oct 04

TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Re

CVE-2022-24937 CRITICAL
9.8 Nov 14

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silicon Labs Ember ZNet allows

CVE-2022-24938 HIGH
7.5 Nov 14

A malformed packet causes a stack overflow in the Ember ZNet stack. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2026-47154 HIGH
7.1 Jun 25

Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network devi

CVE-2026-47153 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigb

CVE-2026-47152 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to

CVE-2026-47151 HIGH
7.1 Jun 25

Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network

CVE-2026-47150 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network d

CVE-2026-47149 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras

CVE-2026-47148 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to

CVE-2026-47146 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras

CVE-2026-47145 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to

Share

CVE-2026-47147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy