Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-8836: lwIP: Unauthenticated Remote Stack Overflow in SNMPv3 Handler
CVE-2026-8836
Summary
A remote attacker can cause a stack overflow in the lwIP SNMPv3 handler, potentially leading to a crash or malicious code execution. This affects all systems using lwIP versions up to 2.2.1. To fix this, apply the available patch to prevent remote attacks.
Original title
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation ...
Original description
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.
nvd CVSS2.0
10.0
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-119
Buffer Overflow
CWE-121
Stack-based Buffer Overflow
- https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e...
- https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada389...
- https://savannah.nongnu.org/bugs/?68194
- https://vuldb.com/submit/829798
- https://vuldb.com/vuln/364474
- https://vuldb.com/vuln/364474/cti
Published: 18 May 2026 · Updated: 28 May 2026 · First seen: 18 May 2026