CVE-2018-3878
Description
Multiple exploitable buffer overflow vulnerabilities exist in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 devices with firmware version 0.20.17. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. A strncpy overflows the destination buffer, which has a size of 16 bytes. An attacker can send an arbitrarily long "region" value in order to exploit this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer overflow in the credentials handler of Samsung SmartThings Hub's video-core HTTP server allows remote authenticated attackers to execute arbitrary code.
Vulnerability
The video-core process in Samsung SmartThings Hub STH-ETH-250 firmware version 0.20.17 contains a stack buffer overflow in the credentials handler of its HTTP server. When parsing a JSON payload, the strncpy function copies the user-supplied "region" value into a fixed 16-byte stack buffer without proper bounds checking, leading to a buffer overflow [1]. The affected component is the video-core HTTP server, which handles credential processing.
Exploitation
An attacker with network access to the hub and valid low-privilege credentials can send a crafted HTTP request containing an arbitrarily long "region" value in the JSON payload. No user interaction is required. The overflow occurs during the parsing of the credentials handler, overwriting adjacent stack memory [1].
Impact
Successful exploitation allows the attacker to overwrite stack memory, potentially leading to arbitrary code execution in the context of the video-core process. Given the CVSS scope change (S:C), the attacker may affect resources beyond the vulnerable component, possibly gaining full control of the hub [1].
Mitigation
As of the advisory publication date (August 2018), Samsung had not released a firmware update to address this vulnerability. No workaround is available. Users should monitor for official updates from Samsung. The device may be end-of-life, but this is not confirmed in the reference [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: = 0.20.17
- Samsung/SmartThings Hub STH-ETH-250v5Range: Firmware version 0.20.17
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2018-0555mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.