Skip to main content

EmberZNet EUVDEUVD-2026-39406

| CVE-2026-47151 HIGH
Out-of-bounds Write (CWE-787)
2026-06-25 Silabs GHSA-f5m5-vmq3-gx5r
7.1
CVSS 4.0 · Vendor: Silabs
Share

Severity by source

Vendor (Silabs) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Network-reachable from an already-joined device (PR:L), no user interaction; bounded OOB write yields limited integrity (I:L) and high availability (A:H) impact with no disclosure (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Silabs).

CVSS VectorVendor: Silabs

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:33 vuln.today

DescriptionCVE.org

In EmberZNet v9.0.2 and earlier, malformed ClearWeekdaySchedule messages can trigger out-of-bounds writes into Door Lock schedule state. The size and location of this data is limited. These messages must come from a device that has already joined the network. Only devices supporting the Door Lock cluster may be impacted.

AnalysisAI

Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network device to corrupt Door Lock schedule state by sending malformed ClearWeekdaySchedule messages. Only devices implementing the Door Lock cluster are affected, and the corruption is bounded in size and location, primarily threatening availability/integrity rather than data disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join or compromise device on Zigbee network
Delivery
Craft malformed ClearWeekdaySchedule message
Exploit
Send to Door Lock cluster device
Execution
Trigger bounded out-of-bounds write
Impact
Corrupt schedule state, degrade availability

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to control a device that has ALREADY joined the target Zigbee network (PR:L), and the target device must support and have enabled the Zigbee Door Lock cluster - devices without that cluster are not impacted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and internally consistent: the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates network reach with low complexity and no user interaction, but PR:L reflects the key gating condition - the attacker must already be a joined member of the Zigbee network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised or spoofed a device already joined to the Zigbee network sends a crafted, malformed ClearWeekdaySchedule command to a door lock that supports the Door Lock cluster. The bounded out-of-bounds write corrupts the lock's schedule state, degrading availability (e.g., crashing or disrupting scheduled access control) and partially affecting integrity of stored schedules. …
Remediation Patch available per vendor advisory: update the EmberZNet stack to the fixed release published by Silicon Labs and rebuild/reflash affected Door Lock devices, following the Silicon Labs advisory (https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000pEGPQIA4?operationContext=S1) and the patched sources at https://github.com/SiliconLabsSoftware/sisdk-release/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24-hour: Inventory all systems running EmberZNet v9.0.2 or earlier with Door Lock cluster implementation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-41094 CRITICAL
9.8 Oct 04

TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Re

CVE-2022-24937 CRITICAL
9.8 Nov 14

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silicon Labs Ember ZNet allows

CVE-2022-24938 HIGH
7.5 Nov 14

A malformed packet causes a stack overflow in the Ember ZNet stack. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2026-47154 HIGH
7.1 Jun 25

Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network devi

CVE-2026-47153 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigb

CVE-2026-47152 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to

CVE-2026-47150 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network d

CVE-2026-47149 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras

CVE-2026-47148 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to

CVE-2026-47147 HIGH
7.1 Jun 25

Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device

CVE-2026-47146 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device cras

CVE-2026-47145 HIGH
7.1 Jun 25

Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to

Share

EUVD-2026-39406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy