CVE-2026-23750
7.2
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Golioth | Pouch | 0.1.0 | affected |
| Golioth | Pouch | 1b2219a159bcbef3f37caa303bbf14d14e979c11 | unaffected |
Weaknesses
- CWE-122: CWE-122 Heap-based Buffer Overflow
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://secmate.dev/disclosures/SECMATE-2025-0018
- https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
- https://github.com/golioth/pouch/commit/1b2219a1
- https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.