CVE-2026-23749

Name of the Vulnerable Software and Affected Versions Golioth Firmware SDK versions prior to 0.22.0

Description The software contains an out-of-bounds read issue stemming from improper null termination during a blockwise transfer. The blockwise transfer init() function accepts a path with a length equal to CONFIG GOLIOTH COAP MAX PATH LEN and copies it using strncpy() without ensuring a trailing NUL byte. This can leave the ctx->path buffer unterminated. Subsequently, a strlen() operation on this buffer within the golioth coap client get internal() function may read beyond the allocated memory, potentially leading to a crash or denial of service. The input path is application-controlled.

Recommendations Update to Golioth Firmware SDK version 0.22.0 or later.