Description
Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent fragments using memcpy() without verifying that sufficient capacity remains. An adjacent BLE client can send unauthenticated fragments whose combined size exceeds the allocated buffer, causing a heap overflow and crash; integrity impact is also possible due to memory corruption.
References (4)
Scores
CVSS v3
8.1
EPSS
0.0002
EPSS Percentile
4.0%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-122
Status
published
Products (3)
Golioth/Pouch
0.1.0
Golioth/Pouch
1b2219a159bcbef3f37caa303bbf14d14e979c11
Golioth/Pouch
commit 1b2219a1
Published
Feb 26, 2026
Tracked Since
Feb 27, 2026