CVE-2026-23750
Published: 26 February 2026
Summary
CVE-2026-23750 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-23750 is a heap-based buffer overflow vulnerability (CWE-122) affecting Golioth Pouch version 0.1.0 prior to commit 1b2219a1. The issue resides in the BLE GATT server certificate handling function server_cert_write(), which allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN upon receiving the first fragment and then appends subsequent fragments via memcpy() without checking remaining capacity. This flaw has a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high integrity and availability impacts but no confidentiality impact.
An adjacent Bluetooth Low Energy (BLE) client can exploit this vulnerability by sending unauthenticated certificate fragments whose total size exceeds the allocated buffer, triggering a heap overflow. Attackers require physical proximity (adjacent network access) but need no privileges or user interaction. Successful exploitation leads to a device crash due to memory corruption and potential integrity violations from overwritten heap data.
Mitigation is available via the upstream patch in commit 1b2219a1 at https://github.com/golioth/pouch/commit/1b2219a1. Additional details are provided in advisories from SecMate (https://secmate.dev/disclosures/SECMATE-2025-0018), VulnCheck (https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow), and a disclosure blog (https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/). Security practitioners should update to the patched version and review BLE GATT handling in similar IoT firmware for analogous bounds-checking flaws.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8870
Vulnerability details
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying…
more
that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap overflow in BLE GATT service enables remote exploitation of the service for DoS/integrity impact over adjacent network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validating the size of incoming unauthenticated BLE GATT certificate fragments against allocated heap buffer capacity before appending to prevent overflows.
Provides heap memory protections such as bounds checking or guard pages to block unauthorized writes from oversized certificate fragments.
Mandates timely remediation of the specific heap buffer overflow flaw by applying the upstream patch in commit 1b2219a1.