CVE-2026-23750 Overview
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow vulnerability in the BLE GATT server certificate handling functionality. The server_cert_write() function allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
Critical Impact
An unauthenticated attacker within BLE range can trigger a heap-based buffer overflow, leading to device crashes and potential memory corruption that may enable further exploitation.
Affected Products
- Golioth Pouch version 0.1.0 (prior to commit 1b2219a1)
- IoT devices and embedded systems utilizing Golioth Pouch BLE GATT server functionality
- Systems with BLE connectivity exposed to adjacent network attackers
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-23750 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-23750
Vulnerability Analysis
This heap-based buffer overflow (CWE-122) exists in the BLE GATT server certificate characteristic handling code within Golioth Pouch. The vulnerability stems from improper bounds checking when processing fragmented certificate data received over BLE.
The server_cert_write() function is responsible for receiving certificate fragments from BLE clients and assembling them into a complete certificate buffer. Upon receiving the first fragment, the function allocates a heap buffer with a fixed maximum size defined by CONFIG_POUCH_SERVER_CERT_MAX_LEN. However, when subsequent fragments arrive, the function uses memcpy() to append the payload data without validating whether the combined size of existing data plus the new fragment would exceed the buffer capacity.
This allows an attacker to craft a sequence of BLE GATT write operations that, when combined, exceed the allocated buffer size, resulting in heap memory corruption beyond the certificate buffer boundaries.
Root Cause
The root cause is a missing bounds check before the memcpy() operation in server_cert_write(). The function fails to verify that ctx->cert.size + payload_len does not exceed CONFIG_POUCH_SERVER_CERT_MAX_LEN before copying fragment data. This classic buffer overflow pattern allows attackers to write arbitrary data past the end of the allocated heap buffer.
Attack Vector
The attack requires adjacent network access via Bluetooth Low Energy (BLE). An attacker within BLE range of a vulnerable device can exploit this vulnerability without authentication by:
- Initiating a BLE connection to the target device running Golioth Pouch
- Sending an initial certificate fragment to trigger buffer allocation
- Sending additional fragments whose cumulative size exceeds CONFIG_POUCH_SERVER_CERT_MAX_LEN
- Triggering the heap overflow when memcpy() writes beyond buffer bounds
This can result in denial of service through device crash, or potentially more severe impacts through controlled heap memory corruption.
return BT_GATT_ERR(BT_ATT_ERR_INSUFFICIENT_RESOURCES);
}
+ if (ctx->cert.size + payload_len > CONFIG_POUCH_SERVER_CERT_MAX_LEN)
+ {
+ return BT_GATT_ERR(BT_ATT_ERR_INVALID_ATTRIBUTE_LEN);
+ }
+
memcpy((void *) &ctx->cert.buffer[ctx->cert.size], payload, payload_len);
ctx->cert.size += payload_len;
Source: GitHub Commit Update
The patch adds proper bounds validation before the memcpy() call, checking if the current certificate size plus the incoming payload length would exceed the maximum buffer capacity. If so, it returns an appropriate error (BT_ATT_ERR_INVALID_ATTRIBUTE_LEN) instead of allowing the overflow.
Detection Methods for CVE-2026-23750
Indicators of Compromise
- Unexpected device crashes or reboots in systems running Golioth Pouch with BLE enabled
- BLE connection anomalies including unusually large or numerous GATT write operations to certificate characteristics
- Heap corruption artifacts in device memory dumps or crash logs
- Unusual BLE client connection patterns from unknown devices in proximity
Detection Strategies
- Monitor BLE GATT server logs for repeated write operations to server certificate characteristics
- Implement heap integrity checking mechanisms to detect corruption
- Deploy BLE traffic monitoring to identify anomalous connection patterns or payload sizes
- Enable crash reporting and memory dump analysis on affected embedded devices
Monitoring Recommendations
- Implement BLE connection logging to track client connections and GATT operations
- Configure watchdog timers to detect and recover from crash conditions
- Deploy intrusion detection for BLE environments where feasible
- Establish baseline BLE traffic patterns to identify anomalous activity
How to Mitigate CVE-2026-23750
Immediate Actions Required
- Update Golioth Pouch to a version containing commit 1b2219a1 or later
- Restrict BLE pairing and connections to trusted devices only where possible
- Disable BLE functionality on devices where it is not required
- Implement network segmentation to limit BLE exposure
Patch Information
The vulnerability is fixed in commit 1b2219a1 of the Golioth Pouch repository. The fix adds a bounds check before the memcpy() operation to ensure that the combined size of existing certificate data and incoming payload does not exceed CONFIG_POUCH_SERVER_CERT_MAX_LEN. Organizations should update to this commit or any subsequent release containing this fix.
For additional technical details, refer to:
Workarounds
- Disable BLE GATT server functionality if certificate provisioning over BLE is not required
- Implement BLE whitelist filtering to restrict connections to known, trusted devices
- Deploy physical security controls to limit attacker proximity to vulnerable devices
- Consider using alternative secure provisioning methods until patching is complete
# Configuration example
# If using Kconfig, disable BLE GATT server if not required:
# CONFIG_POUCH_BLE_GATT_SERVER=n
# Alternatively, reduce attack surface by limiting BLE advertising:
# CONFIG_BT_GAP_AUTO_UPDATE_CONN_PARAMS=n
# CONFIG_BT_PRIVACY=y
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
