CVE-2026-23750

Published: Feb 26, 2026

Modified: May 26, 2026

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

Vendor	Product	Versions
Golioth	Pouch	affected `0.1.0` unaffected `1b2219a159bcbef3f37caa303bbf14d14e979c11`

Weaknesses (CWE)

CWE-122

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

References

https://secmate.dev/disclosures/SECMATE-2025-0018

technical-description

https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/

technical-description

exploit

https://github.com/golioth/pouch/commit/1b2219a1

patch

https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-23750

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References