Skip to main content

lwIP CVE-2026-8836

| EUVDEUVD-2026-30793 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-05-18 VulDB GHSA-3w8m-3w76-f6mh
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 18, 2026 - 19:30 vuln.today
Analysis Generated
May 18, 2026 - 19:30 vuln.today
CVSS changed
May 18, 2026 - 19:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)

DescriptionCVE.org

A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.

AnalysisAI

Stack-based buffer overflow in lwIP through 2.2.1 enables remote unauthenticated attackers to corrupt stack memory in the SNMPv3 USM handler by sending a crafted msgAuthenticationParameters field to snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c. The flaw stems from a commented-out length assertion that allowed user-controlled TLV value lengths to exceed SNMP_V3_MAX_AUTH_PARAM_LENGTH during decoding. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation against a library widely embedded in IoT and embedded TCP/IP stacks.

Technical ContextAI

lwIP (lightweight IP) is a widely deployed open-source TCP/IP stack used in embedded systems, IoT devices, RTOS environments, and resource-constrained networking gear. The defect lives in the SNMPv3 User-based Security Model (USM) inbound message parser, which decodes ASN.1 BER-encoded TLV fields including msgAuthenticationParameters used for HMAC authentication. CWE-121 (Stack-based Buffer Overflow) applies because the parser read the attacker-supplied tlv.value_len directly into a fixed-size stack buffer sized by SNMP_V3_MAX_AUTH_PARAM_LENGTH without enforcing the bound - the upstream patch (commit 0c957ec0) re-enables the IF_PARSE_ASSERT length check and caps the copy length to SNMP_V3_MAX_AUTH_PARAM_LENGTH, confirming the root cause was a removed/disabled length guard rather than an arithmetic error.

RemediationAI

Apply the upstream fix available per vendor advisory by updating lwIP to a build that includes commit 0c957ec03054eb6c8205e9c9d1d05d90ada3898c from https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c (mirrored at https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898c); a released patched version number was not listed in lwIP's tagged releases at time of analysis, so downstream integrators should cherry-pick the commit and rebuild firmware. As compensating controls until firmware can be rolled out, disable the SNMP agent entirely if unused (LWIP_SNMP=0 at compile time, which eliminates the attack surface but removes SNMP-based monitoring), or restrict UDP/161 ingress at the network edge to a hardened management VLAN with allow-listed NMS source IPs (trade-off: legitimate out-of-segment monitoring breaks); where SNMPv3 is not required, switch the agent to SNMPv1/v2c builds so the vulnerable USM parser path is not compiled in, accepting the loss of authenticated/encrypted management.

Share

CVE-2026-8836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy