CVE-2018-3926

MEDIUM

Samsung SmartThings Hub STH-ETH-250 Firmware 0.20.17 - Integer Underflow via Malformed Firmware Update File

Title source: llm
STIX 2.1

Description

An exploitable integer underflow vulnerability exists in the ZigBee firmware update routine of the hubCore binary of the Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process incorrectly handles malformed files existing in its data directory, leading to an infinite loop, which eventually causes the process to crash. An attacker can send an HTTP request to trigger this vulnerability.

References (2)

Core 2
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/105162
Exploit, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2018-0593

Scores

CVSS v3 5.5
EPSS 0.0007
EPSS Percentile 21.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-191
Status published
Products (1)
samsung/sth-eth-250_firmware 0.20.17
Published Aug 28, 2018
Tracked Since Feb 18, 2026