Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated, low-complexity malformed groupcast packet crashes the process (A:H) with no confidentiality or integrity impact; network vector though realistically link-local.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A use of uninitialized value vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, where the GetDestinationGroupId().Value() method is called without first checking whether a value exists. This leads to a crash when an InvokeCommand is sent without initializing the destination group ID. The issue affects all versions before commit 0360cc3 (Dec 5, 2024) and leads to denial of service through SIGABRT. It is fixed by adding a .HasValue() check before access.
AnalysisAI
Denial of service in the Matter SDK (connectedhomeip) before version 1.4.0 allows remote attackers to crash a Matter device or controller by sending a groupcast InvokeCommand message without an initialized destination group ID. The ExchangeManager reads the optional GroupId via GetDestinationGroupId().Value() without a HasValue() guard (CWE-457), triggering a SIGABRT abort. An upstream fix exists (commit 0360cc3, PR #36729), and no public exploit has been identified at time of analysis; this is a network-reachable, unauthenticated availability issue with no confidentiality or integrity impact.
Technical ContextAI
The affected component is Project CHIP / connectedhomeip, the reference SDK implementing the Matter smart-home interoperability standard used across IoT ecosystems (Apple Home, Google Home, Amazon Alexa, Samsung SmartThings). The defect lives in src/messaging/ExchangeMgr.cpp within ExchangeManager::OnMessageReceived, which handles incoming groupcast (multicast) messages. Matter packet headers carry the destination group ID as an Optional<GroupId> type; the vulnerable code logs the value by calling GetDestinationGroupId().Value() directly. Per CWE-457 (Use of Uninitialized Value), dereferencing an Optional that holds no value on a Matter Optional/CHIP type triggers a VerifyOrDie-style assertion, aborting the process. The root cause is the missing precondition check that the diff remedies by wrapping the access in an if (…HasValue()) branch, with an else path that logs 'Received Groupcast Message without GroupId'.
RemediationAI
Upgrade to Matter SDK connectedhomeip 1.4.0 or later, which includes fix commit 0360cc3 that adds the GetDestinationGroupId().HasValue() guard before accessing the optional group ID (upstream fix available via PR #36729 - https://github.com/project-chip/connectedhomeip/pull/36729; the released 1.4.0 tag is the recommended patched baseline). Device and controller vendors who vendor the SDK should rebuild firmware against the patched source and ship updated images. Where immediate upgrade is not feasible, apply the single-diff patch from PR #36729 to src/messaging/ExchangeMgr.cpp as a hotfix, or as a compensating control restrict exposure of the Matter fabric to trusted network segments only - segment the IoT VLAN/Thread network and block untrusted hosts from sending groupcast/multicast traffic to Matter nodes; the trade-off is that legitimate multi-admin or cross-ecosystem group control may be constrained. Monitoring for repeated unexpected process aborts (SIGABRT) on Matter nodes can serve as a detection stopgap.
Same weakness CWE-457 – Use of Uninitialized Variable
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210471
GHSA-3xhc-5w7c-ppw7