Skip to main content

Matter SDK EUVDEUVD-2025-210472

| CVE-2025-56365 HIGH
Reachable Assertion (CWE-617)
2026-07-14 cve@mitre.org GHSA-wj9x-8hv5-2p36
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable low-complexity crash affecting availability only; PR:L reflects that delivering an interaction-model invoke normally requires an established Matter fabric session, not fully anonymous access.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 15, 2026 - 15:29 vuln.today
Analysis Generated
Jul 15, 2026 - 15:29 vuln.today
CVSS changed
Jul 15, 2026 - 15:22 NVD
7.5 (HIGH)
CVE Published
Jul 14, 2026 - 23:17 cve.org
HIGH 7.5
CVE Published
Jul 14, 2026 - 23:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A reachable assertion vulnerability exists in the Matter SDK (connectedhomeip) before 1.4.0, in the interaction model command processing logic. When an InvokeCommandRequest is sent to a nonexistent endpoint and cluster (e.g., 0x34), the code incorrectly treats the endpoint as valid due to missing checks in CodegenDataModelProvider::Invoke. This causes a VerifyOrDie failure in ProcessCommandDataIB and results in a crash (SIGABRT). The issue has been acknowledged and fixed in a later revision (PR #37207).

AnalysisAI

Denial of service in the Matter SDK (connectedhomeip) before 1.4.0 lets a network attacker crash the device by sending an InvokeCommandRequest to a nonexistent endpoint/cluster (e.g. 0x34), which the interaction model treats as valid and then aborts on a VerifyOrDie assertion (SIGABRT). This is a reachable-assertion bug (CWE-617) with availability-only impact and no data compromise. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV; the issue was acknowledged upstream and fixed in PR #37207.

Technical ContextAI

The Matter SDK (project-chip/connectedhomeip) is the open-source reference implementation of the Matter smart-home interoperability protocol, providing the data model, interaction model, and transport stack embedded in many Matter-certified accessories and controllers. The defect lives in the codegen data model provider: CodegenDataModelProvider::Invoke (and related AcceptedCommands/GeneratedCommands paths) failed to first confirm that the target cluster actually exists on the addressed endpoint. Because some CommandHandlerInterface instances register for ALL endpoints, an invoke against a bogus endpoint/cluster path bypassed metadata validation and reached ProcessCommandDataIB, which enforces path validity with a VerifyOrDie that aborts the process. The fix adds an explicit FindServerCluster/ValidateClusterPath check (returning CHIP_ERROR_NOT_FOUND / Status::UnsupportedEndpoint / UnsupportedCluster) before command dispatch. Per CWE-617 (Reachable Assertion), attacker-controlled input drives an assertion that is meant to catch programmer errors, converting a should-never-happen condition into an availability failure.

RemediationAI

Upstream fix available (PR #37207); a released patched version is Matter SDK 1.4.0 or later per the 'before 1.4.0' NVD description, so upgrade the connectedhomeip dependency to 1.4.0+ and rebuild/reflash affected device firmware and controllers. The fix adds a cluster-existence check (FindServerCluster/ValidateClusterPath returning NOT_FOUND for unknown endpoint or cluster) before command dispatch - see https://github.com/project-chip/connectedhomeip/pull/37207 and issue https://github.com/project-chip/connectedhomeip/issues/37184. Where immediate rebuilding is not possible, reduce exposure by restricting network reachability to the Matter device (isolate it on a trusted IoT VLAN and limit which controllers can open sessions), and where the platform supports it disable VerifyOrDie-style abort-on-assert or wrap it to fail the transaction instead of the process - with the trade-off that suppressing the assert masks genuine invariant violations and should only be a stopgap until the validated build is deployed. Because impact is a process crash, ensure a watchdog/supervisor automatically restarts the Matter application to shorten downtime.

Share

EUVD-2025-210472 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy