Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23750

CVE-2026-23750: Golioth Pouch Buffer Overflow Vulnerability

CVE-2026-23750 is a heap-based buffer overflow in Golioth Pouch version 0.1.0 affecting BLE GATT server certificate handling. Attackers can exploit this to cause crashes and memory corruption. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-23750 Overview

Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow vulnerability in the BLE GATT server certificate handling functionality. The server_cert_write() function allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.

Critical Impact

An unauthenticated attacker within BLE range can trigger a heap-based buffer overflow, leading to device crashes and potential memory corruption that may enable further exploitation.

Affected Products

  • Golioth Pouch version 0.1.0 (prior to commit 1b2219a1)
  • IoT devices and embedded systems utilizing Golioth Pouch BLE GATT server functionality
  • Systems with BLE connectivity exposed to adjacent network attackers

Discovery Timeline

  • 2026-02-26 - CVE CVE-2026-23750 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2026-23750

Vulnerability Analysis

This heap-based buffer overflow (CWE-122) exists in the BLE GATT server certificate characteristic handling code within Golioth Pouch. The vulnerability stems from improper bounds checking when processing fragmented certificate data received over BLE.

The server_cert_write() function is responsible for receiving certificate fragments from BLE clients and assembling them into a complete certificate buffer. Upon receiving the first fragment, the function allocates a heap buffer with a fixed maximum size defined by CONFIG_POUCH_SERVER_CERT_MAX_LEN. However, when subsequent fragments arrive, the function uses memcpy() to append the payload data without validating whether the combined size of existing data plus the new fragment would exceed the buffer capacity.

This allows an attacker to craft a sequence of BLE GATT write operations that, when combined, exceed the allocated buffer size, resulting in heap memory corruption beyond the certificate buffer boundaries.

Root Cause

The root cause is a missing bounds check before the memcpy() operation in server_cert_write(). The function fails to verify that ctx->cert.size + payload_len does not exceed CONFIG_POUCH_SERVER_CERT_MAX_LEN before copying fragment data. This classic buffer overflow pattern allows attackers to write arbitrary data past the end of the allocated heap buffer.

Attack Vector

The attack requires adjacent network access via Bluetooth Low Energy (BLE). An attacker within BLE range of a vulnerable device can exploit this vulnerability without authentication by:

  1. Initiating a BLE connection to the target device running Golioth Pouch
  2. Sending an initial certificate fragment to trigger buffer allocation
  3. Sending additional fragments whose cumulative size exceeds CONFIG_POUCH_SERVER_CERT_MAX_LEN
  4. Triggering the heap overflow when memcpy() writes beyond buffer bounds

This can result in denial of service through device crash, or potentially more severe impacts through controlled heap memory corruption.

c
         return BT_GATT_ERR(BT_ATT_ERR_INSUFFICIENT_RESOURCES);
     }
 
+    if (ctx->cert.size + payload_len > CONFIG_POUCH_SERVER_CERT_MAX_LEN)
+    {
+        return BT_GATT_ERR(BT_ATT_ERR_INVALID_ATTRIBUTE_LEN);
+    }
+
     memcpy((void *) &ctx->cert.buffer[ctx->cert.size], payload, payload_len);
     ctx->cert.size += payload_len;
 

Source: GitHub Commit Update

The patch adds proper bounds validation before the memcpy() call, checking if the current certificate size plus the incoming payload length would exceed the maximum buffer capacity. If so, it returns an appropriate error (BT_ATT_ERR_INVALID_ATTRIBUTE_LEN) instead of allowing the overflow.

Detection Methods for CVE-2026-23750

Indicators of Compromise

  • Unexpected device crashes or reboots in systems running Golioth Pouch with BLE enabled
  • BLE connection anomalies including unusually large or numerous GATT write operations to certificate characteristics
  • Heap corruption artifacts in device memory dumps or crash logs
  • Unusual BLE client connection patterns from unknown devices in proximity

Detection Strategies

  • Monitor BLE GATT server logs for repeated write operations to server certificate characteristics
  • Implement heap integrity checking mechanisms to detect corruption
  • Deploy BLE traffic monitoring to identify anomalous connection patterns or payload sizes
  • Enable crash reporting and memory dump analysis on affected embedded devices

Monitoring Recommendations

  • Implement BLE connection logging to track client connections and GATT operations
  • Configure watchdog timers to detect and recover from crash conditions
  • Deploy intrusion detection for BLE environments where feasible
  • Establish baseline BLE traffic patterns to identify anomalous activity

How to Mitigate CVE-2026-23750

Immediate Actions Required

  • Update Golioth Pouch to a version containing commit 1b2219a1 or later
  • Restrict BLE pairing and connections to trusted devices only where possible
  • Disable BLE functionality on devices where it is not required
  • Implement network segmentation to limit BLE exposure

Patch Information

The vulnerability is fixed in commit 1b2219a1 of the Golioth Pouch repository. The fix adds a bounds check before the memcpy() operation to ensure that the combined size of existing certificate data and incoming payload does not exceed CONFIG_POUCH_SERVER_CERT_MAX_LEN. Organizations should update to this commit or any subsequent release containing this fix.

For additional technical details, refer to:

Workarounds

  • Disable BLE GATT server functionality if certificate provisioning over BLE is not required
  • Implement BLE whitelist filtering to restrict connections to known, trusted devices
  • Deploy physical security controls to limit attacker proximity to vulnerable devices
  • Consider using alternative secure provisioning methods until patching is complete
bash
# Configuration example
# If using Kconfig, disable BLE GATT server if not required:
# CONFIG_POUCH_BLE_GATT_SERVER=n

# Alternatively, reduce attack surface by limiting BLE advertising:
# CONFIG_BT_GAP_AUTO_UPDATE_CONN_PARAMS=n
# CONFIG_BT_PRIVACY=y

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.