The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23749

CVE-2026-23749: Golioth Firmware SDK DoS Vulnerability

CVE-2026-23749 is a denial of service flaw in Golioth Firmware SDK caused by improper null termination leading to out-of-bounds reads. This article covers the technical details, affected versions, impact, and mitigation.

Published: February 27, 2026

CVE-2026-23749 Overview

CVE-2026-23749 is an out-of-bounds read vulnerability affecting Golioth Firmware SDK versions 0.19.1 prior to 0.22.0. The flaw exists due to improper null termination of a blockwise transfer path in the blockwise_transfer_init() function. When a path with a length equal to CONFIG_GOLIOTH_COAP_MAX_PATH_LEN is provided, the function copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A subsequent strlen() call on this buffer in golioth_coap_client_get_internal() can read past the end of the allocation, resulting in a crash or denial of service condition.

Critical Impact

An out-of-bounds read in the Golioth Firmware SDK can cause application crashes and denial of service on IoT devices using this firmware SDK when processing blockwise CoAP transfers with maximum-length paths.

Affected Products

  • Golioth Firmware SDK versions 0.19.1 to 0.21.x
  • IoT devices and embedded systems utilizing affected Golioth Firmware SDK versions
  • Applications implementing CoAP blockwise transfers with Golioth SDK

Discovery Timeline

  • 2026-02-26 - CVE CVE-2026-23749 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-23749

Vulnerability Analysis

This vulnerability is classified as CWE-170 (Improper Null Termination). The root issue lies in the blockwise_transfer_init() function within src/coap_blockwise.c, which fails to properly ensure null termination when copying path strings at the boundary condition.

The strncpy() function in C does not guarantee null termination when the source string length equals or exceeds the specified maximum length. In this case, when a path of exactly CONFIG_GOLIOTH_COAP_MAX_PATH_LEN characters is provided, the buffer is filled completely without a terminating NUL byte. Subsequent string operations like strlen() will then read beyond the allocated buffer boundaries until a null byte is encountered in adjacent memory, causing undefined behavior.

While the input is application-controlled rather than network-controlled by default, this still presents a risk in scenarios where path values are derived from configuration or semi-trusted sources. The impact is limited to denial of service through application crashes.

Root Cause

The vulnerability stems from a classic C programming error involving strncpy() and improper buffer size calculation. The function allocated a buffer of CONFIG_GOLIOTH_COAP_MAX_PATH_LEN bytes and used the same value as the strncpy() length parameter, leaving no room for the null terminator when the input string exactly matches this maximum length. This is a common source of off-by-one errors in embedded C code.

Attack Vector

The attack vector requires local access as the vulnerable input is application-controlled. An attacker would need to influence the path parameter passed to the blockwise transfer initialization function. This could occur through:

  1. Manipulating application configuration files that define CoAP resource paths
  2. Exploiting other application logic that constructs paths dynamically
  3. In some deployment scenarios, through indirect control of path values via application APIs

The attack complexity is increased by the prerequisite of controlling the path input and ensuring it meets the exact maximum length condition.

c
// Security patch from src/coap_blockwise.c
// Source: https://github.com/golioth/golioth-firmware-sdk/commit/0e788217ab4b61a7c1d9fadd1b4a40f5f538a26d

     {
         return -EINVAL;
     }
-    strncpy(ctx->path, path, CONFIG_GOLIOTH_COAP_MAX_PATH_LEN);
+    strncpy(ctx->path, path, CONFIG_GOLIOTH_COAP_MAX_PATH_LEN + 1);

     ctx->client = client;
     ctx->path_prefix = path_prefix;

The fix increases the strncpy() length parameter by one to account for the null terminator, ensuring the path is always properly terminated regardless of input length.

Detection Methods for CVE-2026-23749

Indicators of Compromise

  • Application crashes or unexpected terminations during CoAP blockwise transfer operations
  • Memory access violations or segmentation faults in firmware logs referencing golioth_coap_client_get_internal() or related functions
  • Repeated device reboots when processing specific CoAP resource paths

Detection Strategies

  • Implement runtime memory sanitizers (AddressSanitizer) during development and testing to catch out-of-bounds reads
  • Monitor application stability and crash reports for patterns involving CoAP path processing
  • Review firmware logs for memory access errors or abnormal terminations in Golioth SDK components
  • Audit source code for strncpy() usage patterns without proper null termination checks

Monitoring Recommendations

  • Enable verbose logging for CoAP operations to capture path lengths being processed
  • Implement watchdog monitoring for unexpected firmware crashes on IoT devices
  • Track device uptime metrics to identify denial of service patterns
  • Set up crash dump collection and analysis for embedded devices where possible

How to Mitigate CVE-2026-23749

Immediate Actions Required

  • Update Golioth Firmware SDK to version 0.22.0 or later immediately
  • Review all CoAP resource paths configured in applications to ensure they are well under CONFIG_GOLIOTH_COAP_MAX_PATH_LEN
  • If immediate update is not possible, apply the patch from commit 0e788217ab4b61a7c1d9fadd1b4a40f5f538a26d
  • Validate input path lengths before passing to blockwise transfer functions

Patch Information

The vulnerability is fixed in Golioth Firmware SDK version 0.22.0. The fix is available in commit 0e788217ab4b61a7c1d9fadd1b4a40f5f538a26d. Organizations should update to the patched version by pulling the latest release from the Golioth Firmware SDK v0.22.0 Release.

For technical details on the vulnerability and fix, refer to the VulnCheck Advisory and the Secmate Disclosure SECMATE-2025-0017.

Workarounds

  • Enforce path length validation at the application layer to ensure paths are always shorter than CONFIG_GOLIOTH_COAP_MAX_PATH_LEN
  • Reduce CONFIG_GOLIOTH_COAP_MAX_PATH_LEN configuration value if shorter paths are acceptable for your use case
  • Implement defensive null termination after any strncpy() calls in custom code interfacing with the SDK
  • Consider input sanitization wrappers around blockwise transfer initialization functions
bash
# Configuration example - Verify Golioth SDK version and update
# Check current SDK version in your project
grep -r "GOLIOTH_FIRMWARE_SDK_VERSION" .

# Update to patched version using west (Zephyr)
west update golioth-firmware-sdk

# Or update manifest to use v0.22.0 or later
# revision: v0.22.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechGolioth
  • SeverityLOW
  • CVSS Score2.1
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-170
  • Technical References
  • GitHub Commit Update
  • GitHub Release v0.22.0
  • Secmate Disclosure SECMATE-2025-0017
  • VulnCheck Advisory Golioth SDK Issue
  • Related CVEs
  • CVE-2026-23748: Golioth Firmware SDK DoS Vulnerability
  • CVE-2026-23747: Golioth Firmware SDK Buffer Overflow
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English