Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.
AnalysisAI
Stack-based buffer overflow in lwIP through 2.2.1 enables remote unauthenticated attackers to corrupt stack memory in the SNMPv3 USM handler by sending a crafted msgAuthenticationParameters field to snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c. The flaw stems from a commented-out length assertion that allowed user-controlled TLV value lengths to exceed SNMP_V3_MAX_AUTH_PARAM_LENGTH during decoding. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation against a library widely embedded in IoT and embedded TCP/IP stacks.
Technical ContextAI
lwIP (lightweight IP) is a widely deployed open-source TCP/IP stack used in embedded systems, IoT devices, RTOS environments, and resource-constrained networking gear. The defect lives in the SNMPv3 User-based Security Model (USM) inbound message parser, which decodes ASN.1 BER-encoded TLV fields including msgAuthenticationParameters used for HMAC authentication. CWE-121 (Stack-based Buffer Overflow) applies because the parser read the attacker-supplied tlv.value_len directly into a fixed-size stack buffer sized by SNMP_V3_MAX_AUTH_PARAM_LENGTH without enforcing the bound - the upstream patch (commit 0c957ec0) re-enables the IF_PARSE_ASSERT length check and caps the copy length to SNMP_V3_MAX_AUTH_PARAM_LENGTH, confirming the root cause was a removed/disabled length guard rather than an arithmetic error.
RemediationAI
Apply the upstream fix available per vendor advisory by updating lwIP to a build that includes commit 0c957ec03054eb6c8205e9c9d1d05d90ada3898c from https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c (mirrored at https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898c); a released patched version number was not listed in lwIP's tagged releases at time of analysis, so downstream integrators should cherry-pick the commit and rebuild firmware. As compensating controls until firmware can be rolled out, disable the SNMP agent entirely if unused (LWIP_SNMP=0 at compile time, which eliminates the attack surface but removes SNMP-based monitoring), or restrict UDP/161 ingress at the network edge to a hardened management VLAN with allow-listed NMS source IPs (trade-off: legitimate out-of-segment monitoring breaks); where SNMPv3 is not required, switch the agent to SNMPv1/v2c builds so the vulnerable USM parser path is not compiled in, accepting the loss of authenticated/encrypted management.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30793
GHSA-3w8m-3w76-f6mh