CVE-2026-8836

CRITICAL

lwIP snmpv3 USM snmp_msg.c snmp_parse_inbound_frame stack-based overflow

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-8836. PoCs published by Hunt-Benito.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-8836, a stack-based buffer overflow in lwIP's SNMPv3 USM handler. The exploit constructs a malicious SNMPv3 packet with an oversized msgAuthenticationParameters field to trigger the vulnerability.

Description

A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.

Exploits (1)

github WORKING POC

by Hunt-Benito · pythonpoc

https://github.com/Hunt-Benito/lwip-snmpv3-stack-overflow-cve-2026-8836-critical-embedded-rce

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-8836, a stack-based buffer overflow in lwIP's SNMPv3 USM handler. The exploit constructs a malicious SNMPv3 packet with an oversized msgAuthenticationParameters field to trigger the vulnerability.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: lwIP <= 2.2.1 with LWIP_SNMP_V3 enabled

No auth needed

Prerequisites: Network access to the target device · SNMPv3 service enabled on the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 31, 2026 Full analysis →

References (6)

Core 6

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-364474 | lwIP snmpv3 USM snmp_msg.c snmp_parse_inbound_frame stack-based overflow

https://vuldb.com/vuln/364474

Signature, Permissions Required signature permissions-required

VDB-364474 | CTI Indicators (IOB, IOC, IOA)

https://vuldb.com/vuln/364474/cti

Third Party Advisory third-party-advisory

Submit #829798 | lwIP 2.1.0 Stack-based Buffer Overflow

https://vuldb.com/submit/829798

Broken Link broken-link

https://savannah.nongnu.org/bugs/?68194

Patch broken-link patch

https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898c

Patch patch

https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0028

EPSS Percentile 52.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-119 CWE-121

Status published

Products (6)

None/lwIP 2.1.0

None/lwIP 2.1.1

None/lwIP 2.1.2

None/lwIP 2.1.3

None/lwIP 2.2.0

None/lwIP 2.2.1

Published May 18, 2026

Tracked Since May 19, 2026