Skip to main content

Lr1110 EUVDEUVD-2025-209282

| CVE-2025-14857 MEDIUM
Write-what-where Condition (CWE-123)
2026-04-07 SWI GHSA-xjjj-2993-4g39
5.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2025-209282
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:56 nvd
MEDIUM 5.4

DescriptionCVE.org

An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device's secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access.

AnalysisAI

Stack memory write protection bypass in Semtech LoRa LR11xx transceiver firmware allows physical attackers with SPI interface access to overwrite the program call stack and achieve limited arbitrary code execution during an active session. The vulnerability affects LR1110, LR1120, and LR1121 devices running early firmware versions; however, impact is constrained to the current attack session because secure boot prevents persistent firmware modification, cryptographic keys remain isolated, and all changes revert upon device reboot or loss of physical access. CVSS 5.4 (moderate) reflects the physical attack requirement despite high confidentiality and integrity impact.

Technical ContextAI

Semtech LoRa LR11xx transceivers (LR1110, LR1120, LR1121) are sub-GHz wireless transceiver chips used in IoT and LoRaWAN applications. The vulnerability resides in the firmware's memory write command handler accessible via the physical Serial Peripheral Interface (SPI) bus-the primary communication protocol between the transceiver and host microcontroller. The root cause is an improper access control flaw (CWE-123: Write-What-Where Condition) where the firmware fails to enforce write protection on the program call stack memory region. An attacker with direct physical access to the SPI interface can craft malformed memory write commands that bypass protection checks and overwrite stack data, enabling control flow hijacking. The device's secure boot mechanism and isolated cryptographic engine (referenced in the description) mitigate persistence and key extraction, limiting the attack window to the duration of physical access and the active session.

RemediationAI

Update affected Semtech LR11xx transceiver firmware to the patched version specified in Semtech security bulletin SEM-PSA-2026-001 (https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001). Exact patched firmware versions are not provided in the available data; consult the Semtech advisory for the correct target version for your device model and current firmware level. As an interim mitigation, restrict physical SPI interface access through mechanical tamper-evident enclosures, secure mounting in controlled-access facilities, or disabling SPI debug interfaces where permitted by application requirements. Monitor firmware update channels from Semtech and implement a rollout plan prioritizing devices in physically accessible or untrusted environments. Secure boot is already present and functional; verify it remains enabled in your deployment.

Share

EUVD-2025-209282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy