Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Sending MoveToLevel and attribute writes requires an authenticated Matter fabric session, so PR:L rather than PR:N; the deterministic two-step trigger gives AC:L, and impact is availability-only (A:H, C:N/I:N).
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.2, specifically within the Level Control cluster's periodic server tick logic. When a MoveToLevel command is sent and immediately followed by a write of OperationMode=2 (in the Pump Configuration and Control cluster), the server tick function violates the assertion currentLevel < maxLevel, resulting in a crash. This can be exploited remotely without authentication to cause denial of service. Affected versions include 1.3 and 1.4 (commit ab3d5ae).
AnalysisAI
Remotely triggerable denial of service in the Matter SDK (connectedhomeip) before 1.4.2 lets an attacker crash devices by driving the Level Control cluster's periodic server tick into a failed assertion (currentLevel < maxLevel). Sending a MoveToLevel command and immediately writing OperationMode=2 in the Pump Configuration and Control cluster produces an inconsistent internal state that aborts the process. No public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV; CVSS is 7.5 with availability-only impact.
Technical ContextAI
The affected component is the Matter (formerly Project CHIP / connectedhomeip) reference SDK, the cross-vendor implementation underlying most Matter-certified smart-home devices. The bug lives in the Level Control cluster's periodic server tick, which advances a device's brightness/level state over time; the Pump Configuration and Control cluster's OperationMode attribute feeds into the min/max bounds used by that logic. Writing OperationMode=2 concurrently with an in-flight MoveToLevel operation leaves currentLevel above the effective maxLevel, so the tick handler's C-style assertion currentLevel < maxLevel fails. This is a classic CWE-617 Reachable Assertion: attacker-influenced input reaches an assert() that aborts the program instead of handling the error state gracefully.
RemediationAI
Vendor-released patch: 1.4.2 - upgrade the embedded Matter SDK to 1.4.2 or later and rebuild/reflash affected device firmware, tracking status via https://github.com/project-chip/connectedhomeip/issues/38618. Because most impact reaches shipped devices through downstream firmware, downstream OEMs must pull the fixed SDK and issue OTA updates; end users cannot patch the library directly. Where immediate patching is impossible, reduce exposure by restricting which fabrics and controllers can reach affected devices (avoid multi-admin commissioning of untrusted controllers), and by not exposing the Pump Configuration and Control cluster on devices that do not genuinely need it, since the OperationMode write is a required trigger - note this removes legitimate pump-mode functionality. Segmenting the smart-home VLAN limits which hosts can open Matter sessions, at the cost of added deployment complexity.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210469
GHSA-qj9w-vfqp-8pcv