Cyber Resilience

CVE-2026-23750

HighPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 5.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23750 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-23750 is a heap-based buffer overflow vulnerability (CWE-122) affecting Golioth Pouch version 0.1.0 prior to commit 1b2219a1. The issue resides in the BLE GATT server certificate handling function server_cert_write(), which allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN upon receiving the first fragment and then appends subsequent fragments via memcpy() without checking remaining capacity. This flaw has a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating high integrity and availability impacts but no confidentiality impact.

An adjacent Bluetooth Low Energy (BLE) client can exploit this vulnerability by sending unauthenticated certificate fragments whose total size exceeds the allocated buffer, triggering a heap overflow. Attackers require physical proximity (adjacent network access) but need no privileges or user interaction. Successful exploitation leads to a device crash due to memory corruption and potential integrity violations from overwritten heap data.

Mitigation is available via the upstream patch in commit 1b2219a1 at https://github.com/golioth/pouch/commit/1b2219a1. Additional details are provided in advisories from SecMate (https://secmate.dev/disclosures/SECMATE-2025-0018), VulnCheck (https://www.vulncheck.com/advisories/golioth-pouch-ble-gatt-heap-based-buffer-overflow), and a disclosure blog (https://blog.secmate.dev/posts/golioth-vulnerabilities-disclosure/). Security practitioners should update to the patched version and review BLE GATT handling in similar IoT firmware for analogous bounds-checking flaws.

EU & UK References

Vulnerability details

Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying…

more

that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap overflow in BLE GATT service enables remote exploitation of the service for DoS/integrity impact over adjacent network.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32710Shared CWE-122
CVE-2025-54878Shared CWE-122
CVE-2025-49676Shared CWE-122
CVE-2025-0755Shared CWE-122
CVE-2025-21306Shared CWE-122
CVE-2026-7378Shared CWE-122
CVE-2023-50739Shared CWE-122
CVE-2025-49757Shared CWE-122
CVE-2025-21223Shared CWE-122
CVE-2025-21236Shared CWE-122

Affected Assets

Golioth Pouch
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validating the size of incoming unauthenticated BLE GATT certificate fragments against allocated heap buffer capacity before appending to prevent overflows.

prevent

Provides heap memory protections such as bounds checking or guard pages to block unauthorized writes from oversized certificate fragments.

prevent

Mandates timely remediation of the specific heap buffer overflow flaw by applying the upstream patch in commit 1b2219a1.

References