Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable with PR:L per provided vector; crashes warrant A:L and memory leakage warrants C:L, contrary to the provided VA:N omission.
Primary rating from Vendor (Silabs).
CVSS VectorVendor: Silabs
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Improper bounds validation in EmberZNet SDK versions 9.0.2 and earlier may result in crashes or dynamic memory leakage.
AnalysisAI
Improper bounds validation in Silicon Labs EmberZNet SDK versions 9.0.2 and earlier exposes Zigbee-connected devices to crashes and dynamic memory leakage via network-reachable input. Authenticated network attackers can trigger the flaw with low complexity, resulting in denial-of-service conditions or unintended disclosure of heap contents. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires low-privilege network access - the CVSS 4.0 vector specifies PR:L, indicating the attacker must hold some form of authenticated access or established session on the Zigbee PAN before sending the malicious frame. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N) scores 5.3 (Medium) and captures the low-confidentiality impact of memory leakage, but omits any availability metric (VA:N) despite the description explicitly stating crashes are a possible outcome - this is a notable inconsistency that defenders should verify against the vendor advisory. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a Zigbee-capable radio and valid network credentials (or a compromised node on the same PAN) sends a crafted Zigbee protocol frame containing a length parameter that exceeds the allocated buffer size in the EmberZNet stack. The SDK's bounds validation fails to reject the inconsistency, resulting in either a crash of the host Zigbee process or a heap memory read that leaks dynamic allocation contents back to the attacker. … |
| Remediation | Upgrade to a patched EmberZNet SDK release published in the SiliconLabsSoftware/sisdk-release repository (https://github.com/SiliconLabsSoftware/sisdk-release) beyond version 9.0.2; the exact fixed release version was not independently confirmed from the available data - consult the vendor advisory at https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000pYDOwIAO?operationContext=S1 for the confirmed patch version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39411
GHSA-2mwj-cc94-39wv