CVE-2026-23749
Received Received - Intake
Out-of-Bounds Read in Golioth Firmware SDK Causes DoS

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: VulnCheck

Description
Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this buffer (in golioth_coap_client_get_internal()) can read past the end of the allocation, resulting in a crash/denial of service. The input is application-controlled (not network by default).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23749
EUVD
EUVD-2026-8869
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golioth golioth_firmware_sdk to 0.22.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23749 is an out-of-bounds read vulnerability in the Golioth Firmware SDK versions prior to 0.22.0. It occurs because the function blockwise_transfer_init() copies a path string using strncpy() without ensuring it is null-terminated. If the path length equals the maximum allowed length, the copied buffer remains unterminated. Later, when strlen() is called on this buffer, it can read beyond the allocated memory, potentially causing a crash or denial of service.

The input that triggers this vulnerability is controlled by the application, not by network input by default.

Impact Analysis

This vulnerability can lead to a crash or denial of service in applications using the affected Golioth Firmware SDK versions. Because the out-of-bounds read can cause memory safety violations, it may destabilize the system or interrupt normal operation.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is triggered by application-controlled input rather than network input by default, making network detection less straightforward.

Detection would involve analyzing the usage of the blockwise_transfer_init() function in the Golioth Firmware SDK versions prior to 0.22.0 to see if paths of length equal to CONFIG_GOLIOTH_COAP_MAX_PATH_LEN are passed without proper null termination.

Since the issue involves an out-of-bounds read caused by improper null termination, one could use debugging or memory analysis tools to detect crashes or memory violations related to strlen() calls on the ctx->path buffer.

No specific commands or network detection signatures are provided in the available information.

Mitigation Strategies

The primary mitigation step is to upgrade the Golioth Firmware SDK to version 0.22.0 or later, where the vulnerability has been fixed.

The fix ensures that the path copied into the blockwise transfer context is always null-terminated, preventing out-of-bounds reads.

If upgrading immediately is not possible, review and modify application code to ensure that any path passed to blockwise_transfer_init() is properly null-terminated and does not reach the maximum path length without a terminating null byte.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart