Skip to main content

EmberZNet CVE-2026-47150

| EUVDEUVD-2026-39405 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 Silabs GHSA-w2c5-vjq8-v8hc
7.1
CVSS 4.0 · Vendor: Silabs
Share

Severity by source

Vendor (Silabs) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

PR:L because the attacker must already be a joined network device; A:H for process termination, I:L for the constrained out-of-bounds write, C:N as no data disclosure occurs.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Silabs).

CVSS VectorVendor: Silabs

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:31 vuln.today

DescriptionCVE.org

In EmberZNet v9.0.2 and earlier, malformed IAS Zone enrollment messages can trigger an out-of-bounds state-table write and terminate the process. The size and location of this write is limited. These messages must come from a device that has already joined the network. Only devices supporting the IAS Zone cluster may be impacted.

AnalysisAI

Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network device to crash the host process by sending malformed IAS Zone enrollment messages, which trigger an out-of-bounds write to the state table. Only nodes that support the IAS Zone (security sensor) cluster are affected, and the attacker must already hold a valid place on the Zigbee network (PR:L). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join or compromise a network device
Delivery
Craft malformed IAS Zone enrollment frame
Exploit
Trigger out-of-bounds state-table write
Execution
Terminate target process
Impact
Repeat for sustained denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already be a joined member of the Zigbee network (PR:L) - an external, never-joined radio cannot trigger it - and the target must implement and accept IAS Zone cluster enrollment messages; devices without the IAS Zone cluster are not impacted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N, VC:N/VI:L/VA:H) scores 7.1 (High) and accurately frames this as primarily an availability problem requiring a foothold on the network - PR:L reflects that messages 'must come from a device that has already joined the network,' so this is not an unauthenticated remote crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or spoofed a device already joined to the Zigbee network sends crafted, malformed IAS Zone enrollment frames to a target node that supports the IAS Zone cluster. The out-of-bounds state-table write corrupts memory and terminates the target's process, knocking the device (e.g., a security sensor or coordinator) offline; repeated transmission produces a sustained denial of service. …
Remediation Patch available per vendor advisory: upgrade EmberZNet to a fixed release beyond 9.0.2 obtained from the Silicon Labs SiSDK release channel (https://github.com/SiliconLabsSoftware/sisdk-release/) and review the advisory at the Silicon Labs portal for the exact corrected version, then rebuild and reflash affected SoC/NCP firmware - an exact fixed version string was not provided in the input and should be confirmed from the advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Zigbee devices using IAS Zone cluster and identify any running EmberZNet versions 9.0.2 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-41094 CRITICAL
9.8 Oct 04

TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Re

CVE-2022-24937 CRITICAL
9.8 Nov 14

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silicon Labs Ember ZNet allows

CVE-2022-24938 HIGH
7.5 Nov 14

A malformed packet causes a stack overflow in the Ember ZNet stack. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2026-47154 HIGH
7.1 Jun 25

Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network devi

CVE-2026-47153 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigb

CVE-2026-47152 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to

CVE-2026-47151 HIGH
7.1 Jun 25

Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network

CVE-2026-47149 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras

CVE-2026-47148 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to

CVE-2026-47147 HIGH
7.1 Jun 25

Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device

CVE-2026-47146 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras

CVE-2026-47145 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to

Share

CVE-2026-47150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy