Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
Golioth Firmware SDK Crashes or Denies Service due to Malicious Path Input
CVE-2026-23749
Summary
The Golioth Firmware SDK's blockwise transfer feature is vulnerable to a crash or denial of service if an attacker provides a maliciously crafted path. This could happen if an application uses the SDK to process user-supplied input that is not properly validated. To fix this, update the Golioth Firmware SDK to version 0.22.0 or later.
Original title
Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init()...
Original description
Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this buffer (in golioth_coap_client_get_internal()) can read past the end of the allocation, resulting in a crash/denial of service. The input is application-controlled (not network by default).
nvd CVSS3.1
2.9
nvd CVSS4.0
2.1
Vulnerability type
CWE-170
- https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
- https://github.com/golioth/golioth-firmware-sdk/commit/0e788217ab4b61a7c1d9fadd1...
- https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
- https://secmate.dev/disclosures/SECMATE-2025-0017
- https://www.vulncheck.com/advisories/golioth-firmware-sdk-blockwise-transfer-pat...
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026