CVE-2026-23750
Received Received - Intake
Heap-Based Buffer Overflow in Golioth Pouch BLE GATT Server

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: VulnCheck

Description
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23750
EUVD
EUVD-2026-8870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golioth pouch to 0.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23750 is a heap-based buffer overflow vulnerability in the Golioth Pouch BLE GATT server certificate handling. The function server_cert_write() allocates a heap buffer of a fixed size when receiving the first fragment of a BLE GATT server certificate. However, when subsequent fragments arrive, they are appended using memcpy() without checking if there is enough space left in the buffer. This allows an adjacent BLE client to send unauthenticated fragments whose total size exceeds the allocated buffer, causing a heap overflow.

This overflow can lead to a crash of the system and potentially corrupt memory, impacting the integrity of the device. The vulnerability was fixed by adding a boundary check before copying data to ensure the buffer is not overflowed.

Impact Analysis

This vulnerability can cause a heap overflow that may crash the affected device or software, leading to denial of service. Additionally, because the overflow can corrupt memory, it may allow an attacker to compromise the integrity of the system, potentially leading to unauthorized behavior or exploitation.

The attack can be performed by an adjacent BLE client without any privileges or user interaction, making it relatively easy to exploit in environments where BLE communication is accessible.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update Golioth Pouch to a version that includes the fix from commit 1b2219a1.

The fix adds a boundary check before copying incoming BLE GATT server certificate fragments to ensure the combined size does not exceed the allocated buffer size (CONFIG_POUCH_SERVER_CERT_MAX_LEN), preventing heap overflow.

Until the update is applied, restrict or monitor BLE GATT server certificate fragment transmissions from adjacent BLE clients to prevent unauthenticated fragments that could trigger the overflow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart