Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Golioth Firmware SDK: Malicious Payload Can Crash System
CVE-2026-23747
Summary
Golioth Firmware SDK versions 0.10.0 to 0.21.9 contain a security flaw that could cause a system crash if a malicious payload is received from a network. This could happen if an attacker intercepts and modifies network traffic or controls a server that sends a payload to your system. To stay safe, update to version 0.22.0 or later of the Golioth Firmware SDK.
Original title
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() hel...
Original description
Golioth Firmware SDK version 0.10.0 prior to 0.22.0, fixed in commit 48f521b, contain a stack-based buffer overflow in Payload Utils. The golioth_payload_as_int() and golioth_payload_as_float() helpers copy network-supplied payload data into fixed-size stack buffers using memcpy() with a length derived from payload_size. The only length checks are guarded by assert(); in release builds, the asserts are compiled out and memcpy() may copy an unbounded payload_size. Payloads larger than 12 bytes (int) or 32 bytes (float) can overflow the stack, resulting in a crash/denial of service. This is reachable via LightDB State on_payload with a malicious server or MITM.
nvd CVSS3.1
3.7
nvd CVSS4.0
6.3
Vulnerability type
CWE-121
Stack-based Buffer Overflow
- https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
- https://github.com/golioth/golioth-firmware-sdk/commit/48f521bcc0187ada2b9cbdad3...
- https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
- https://secmate.dev/disclosures/SECMATE-2025-0015
- https://www.vulncheck.com/advisories/golioth-firmware-sdk-payload-utils-stack-ba...
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026