Emberznet
Monthly
Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending a malformed Simple Metering GetProfileResponse message that triggers an out-of-bounds read while iterating interval entries, terminating the process. Exploitation requires the attacker to be an authenticated member of the Zigbee network and only affects devices implementing the Simple Metering cluster. No public exploit identified at time of analysis, and no information leakage back to the sender was observed.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigbee network to crash a target node by sending a malformed Level Control 'Step' command that triggers a divide-by-zero (CWE-369) fault and terminates the process. Only nodes implementing the Level Control cluster are affected, and exploitation requires the attacker to already be an authenticated member of the network (CVSS 4.0 PR:L, VA:H). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to crash the host process via a malformed Level Control 'Move' command that triggers a divide-by-zero fault. Only deployments where the target device supports the Level Control cluster are affected, and exploitation requires the attacker to be an authenticated member of the Zigbee network (PR:L). No public exploit identified at time of analysis; this is not on CISA KEV.
Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network device to corrupt Door Lock schedule state by sending malformed ClearWeekdaySchedule messages. Only devices implementing the Door Lock cluster are affected, and the corruption is bounded in size and location, primarily threatening availability/integrity rather than data disclosure. No public exploit identified at time of analysis; a vendor patch is available.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network device to crash the host process by sending malformed IAS Zone enrollment messages, which trigger an out-of-bounds write to the state table. Only nodes that support the IAS Zone (security sensor) cluster are affected, and the attacker must already hold a valid place on the Zigbee network (PR:L). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending Door Lock cluster messages containing malformed or out-of-range user identifiers, which trigger an out-of-bounds table read (CWE-125) that terminates the process. Only devices that implement the Door Lock cluster are affected, and no data is leaked back to the sender. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash a target by sending malformed GetGroupMembership commands, which cause repeated out-of-bounds reads past the message payload and terminate the process. Only devices implementing the Groups cluster are affected, and no information leakage to the sender was observed despite the read primitive. There is no public exploit identified at time of analysis, no CISA KEV listing, and the impact is availability-only (process termination), not code execution or data disclosure.
Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device send malformed Over-The-Air (OTA) update requests that drive the OTA Server cluster parser past buffer boundaries, leaking a small, size- and location-limited amount of RAM back to the requester and potentially disrupting the OTA service. Only nodes that implement the OTA Server cluster are affected, and exploitation requires prior network membership (PR:L authenticated). No public exploit is identified and the CVE is not in CISA KEV; the CVSS 4.0 base score of 7.1 is driven mainly by high availability impact (VA:H) rather than data theft.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash a target by sending malformed Color Control cluster messages that trip a reachable assertion and terminate the process. Only devices implementing the Color Control cluster (typically color-capable lighting) are affected, and the attacker must already be a member of the Zigbee network. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash the target by sending malformed Color Control cluster messages, which trigger a reachable assertion that terminates the process. Only devices implementing the Color Control cluster (typically Zigbee lighting/color-capable nodes and coordinators) are affected. Vendor-rated CVSS 4.0 7.1 with availability-only impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined Zigbee device to crash the process by sending malformed global ZCL (Zigbee Cluster Library) messages that trigger out-of-bounds reads in the framework parsing logic. The flaw affects availability only - no information leakage back to the sender was observed despite the dataset's 'Information Disclosure' tag. A vendor patch is available, and there is no public exploit identified at time of analysis.
TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Release of Resource after Effective Lifetime may allow a device to be added. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A malformed packet causes a stack overflow in the Ember ZNet stack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silicon Labs Ember ZNet allows Overflow Buffers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending a malformed Simple Metering GetProfileResponse message that triggers an out-of-bounds read while iterating interval entries, terminating the process. Exploitation requires the attacker to be an authenticated member of the Zigbee network and only affects devices implementing the Simple Metering cluster. No public exploit identified at time of analysis, and no information leakage back to the sender was observed.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows a device already joined to the Zigbee network to crash a target node by sending a malformed Level Control 'Step' command that triggers a divide-by-zero (CWE-369) fault and terminates the process. Only nodes implementing the Level Control cluster are affected, and exploitation requires the attacker to already be an authenticated member of the network (CVSS 4.0 PR:L, VA:H). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined network device to crash the host process via a malformed Level Control 'Move' command that triggers a divide-by-zero fault. Only deployments where the target device supports the Level Control cluster are affected, and exploitation requires the attacker to be an authenticated member of the Zigbee network (PR:L). No public exploit identified at time of analysis; this is not on CISA KEV.
Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network device to corrupt Door Lock schedule state by sending malformed ClearWeekdaySchedule messages. Only devices implementing the Door Lock cluster are affected, and the corruption is bounded in size and location, primarily threatening availability/integrity rather than data disclosure. No public exploit identified at time of analysis; a vendor patch is available.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network device to crash the host process by sending malformed IAS Zone enrollment messages, which trigger an out-of-bounds write to the state table. Only nodes that support the IAS Zone (security sensor) cluster are affected, and the attacker must already hold a valid place on the Zigbee network (PR:L). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending Door Lock cluster messages containing malformed or out-of-range user identifiers, which trigger an out-of-bounds table read (CWE-125) that terminates the process. Only devices that implement the Door Lock cluster are affected, and no data is leaked back to the sender. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash a target by sending malformed GetGroupMembership commands, which cause repeated out-of-bounds reads past the message payload and terminate the process. Only devices implementing the Groups cluster are affected, and no information leakage to the sender was observed despite the read primitive. There is no public exploit identified at time of analysis, no CISA KEV listing, and the impact is availability-only (process termination), not code execution or data disclosure.
Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device send malformed Over-The-Air (OTA) update requests that drive the OTA Server cluster parser past buffer boundaries, leaking a small, size- and location-limited amount of RAM back to the requester and potentially disrupting the OTA service. Only nodes that implement the OTA Server cluster are affected, and exploitation requires prior network membership (PR:L authenticated). No public exploit is identified and the CVE is not in CISA KEV; the CVSS 4.0 base score of 7.1 is driven mainly by high availability impact (VA:H) rather than data theft.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash a target by sending malformed Color Control cluster messages that trip a reachable assertion and terminate the process. Only devices implementing the Color Control cluster (typically color-capable lighting) are affected, and the attacker must already be a member of the Zigbee network. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash the target by sending malformed Color Control cluster messages, which trigger a reachable assertion that terminates the process. Only devices implementing the Color Control cluster (typically Zigbee lighting/color-capable nodes and coordinators) are affected. Vendor-rated CVSS 4.0 7.1 with availability-only impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined Zigbee device to crash the process by sending malformed global ZCL (Zigbee Cluster Library) messages that trigger out-of-bounds reads in the framework parsing logic. The flaw affects availability only - no information leakage back to the sender was observed despite the dataset's 'Information Disclosure' tag. A vendor patch is available, and there is no public exploit identified at time of analysis.
TouchLink packets processed after timeout or out of range due to Operation on a Resource after Expiration and Missing Release of Resource after Effective Lifetime may allow a device to be added. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A malformed packet causes a stack overflow in the Ember ZNet stack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Silicon Labs Ember ZNet allows Overflow Buffers. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.