CVE-2026-23750 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: February 27, 2026
Golioth Pouch - Buffer Overflow
Published: February 26, 2026Updated: February 27, 2026
Overview
Golioth Pouch < [INSERT FIXED VERSION] contains a heap-based buffer overflow caused by improper fragment size verification in BLE GATT server certificate handling, letting adjacent BLE clients cause memory corruption and crash, exploit requires BLE client proximity.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Adjacent BLE clients can cause heap overflow leading to crash and potential memory corruption, impacting system integrity.
Mitigation
Update to the fixed version as per commit 1b2219a1 or latest available version.
References
- https://github.com/golioth/golioth-firmware-sdk/releases/tag/v0.22.0
- https://github.com/golioth/pouch/commit/1b2219a1
- https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow
- https://secmate.dev/disclosures/SECMATE-2025-0018
- https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/
Related Resources
Details
- CVE ID
- CVE-2026-23750
- Severity
- High
- CVSS Score
- 8.1
- Type
- buffer_overflow
- Status
- unconfirmed
CWE
- CWE-122
CVSS Metrics
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H