CVE-2026-4526
Undergoing Analysis Undergoing Analysis - In Progress
Out-of-Bounds Read in EmberZNet Framework

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Silicon Graphics (SGI)

Description
In EmberZNet v9.0.2 and earlier, malformed global ZCL messages can trigger out-of-bounds reads in framework parsing logic and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-4526
EUVD
EUVD-2026-39396
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
silabs emberznet 9.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in EmberZNet version 9.0.2 and earlier. It occurs when malformed global Zigbee Cluster Library (ZCL) messages are processed by the framework parsing logic, causing out-of-bounds reads. These malformed messages must originate from a device that has already joined the network. The out-of-bounds read leads to termination of the process handling the message.

Importantly, no information leakage back to the sender was observed, meaning the vulnerability causes a denial of service rather than data exposure.

Compliance Impact

The vulnerability involves malformed global ZCL messages causing out-of-bounds reads and process termination in EmberZNet. However, no information leakage back to the sender was observed.

Since there is no observed information leakage or data exposure, the vulnerability does not directly imply a breach of data confidentiality or integrity that would typically impact compliance with standards like GDPR or HIPAA.

Nevertheless, the denial of service caused by process termination could affect system availability, which is a component of some compliance frameworks, but the provided information does not specify any direct compliance impact.

Impact Analysis

The primary impact of this vulnerability is that it can cause the affected process to terminate unexpectedly when it receives malformed global ZCL messages from a device on the network. This can lead to denial of service conditions within the EmberZNet framework.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4526. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart