VYPR
← All advisories
Critical severity9.8NVD Advisory· Published May 18, 2026· Updated May 18, 2026

CVE-2026-8836

CVE-2026-8836

Description

A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack-based buffer overflow in lwIP's SNMPv3 USM handler via crafted msgAuthenticationParameters allows remote code execution.

CVE-2026-8836 describes a critical stack-based buffer overflow in lwIP up to version 2.2.1. The vulnerability resides in the snmp_parse_inbound_frame function within src/apps/snmp/snmp_msg.c, which handles SNMPv3 USM authentication parameters. The parsing of msgAuthenticationParameters lacks a bounds check, allowing an attacker to supply an oversized length value that overflows a fixed-size stack buffer [1][2].

Exploitation is remotely initiated without requiring authentication. An attacker only needs network access to the SNMP service to send a crafted SNMPv3 packet containing an invalid msgAuthenticationParameters length. The overflow occurs during the decoding of ASN.1 data, bypassing any prior validation [1][2].

Successful exploitation can lead to stack corruption, potentially enabling denial of service or arbitrary code execution with the privileges of the SNMP service. The CVSS v3 score of 9.8 reflects the high impact and ease of exploitation.

A patch is available in commit 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. The fix adds an assertion to validate the length against SNMP_V3_MAX_AUTH_PARAM_LENGTH and passes that constant instead of the raw TLV length to snmp_asn1_dec_raw [1][2]. Users should update lwIP to a version containing this patch.

References
  1. lwip.git - lwIP - A Lightweight TCPIP stack
  2. snmpv3: fix handling packets with invalid msgAuthenticationParameters… · lwip-tcpip/lwip@0c957ec

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
0c957ec03054

snmpv3: fix handling packets with invalid msgAuthenticationParameters length

https://github.com/lwip-tcpip/lwip0rbitingZer0May 13, 2026via nvd-ref
commit
1 file changed · +2 2
  • src/apps/snmp/snmp_msg.c+2 2 modified
    @@ -946,9 +946,9 @@ snmp_parse_inbound_frame(struct snmp_request *request)
     inbound_msgAuthenticationParameters_offset = pbuf_stream.offset;
     LWIP_UNUSED_ARG(inbound_msgAuthenticationParameters_offset);
     /* Read auth parameters */
-    /* IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH); */
+    IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH);
     IF_PARSE_EXEC(snmp_asn1_dec_raw(&pbuf_stream, tlv.value_len, request->msg_authentication_parameters,
-                                    &u16_value, tlv.value_len));
+                                    &u16_value, SNMP_V3_MAX_AUTH_PARAM_LENGTH));
     request->msg_authentication_parameters_len = (u8_t)u16_value;
 
     /* msgPrivacyParameters */

Vulnerability mechanics

Root cause

"Missing bounds check on msgAuthenticationParameters length allows a stack-based buffer overflow when copying attacker-controlled data into a fixed-size buffer."

Attack vector

An unauthenticated remote attacker sends a crafted SNMPv3 packet containing a msgAuthenticationParameters field whose length exceeds SNMP_V3_MAX_AUTH_PARAM_LENGTH. The vulnerable function snmp_parse_inbound_frame [patch_id=424426] copies the attacker-supplied value_len bytes into the stack-allocated buffer request->msg_authentication_parameters without verifying that value_len does not exceed the buffer capacity. This enables a classic stack-based buffer overflow [CWE-121] that can overwrite adjacent stack data, leading to arbitrary code execution. No authentication or special network position is required; the attack is launched over the network using the SNMP protocol.

Affected code

The vulnerability resides in src/apps/snmp/snmp_msg.c within the function snmp_parse_inbound_frame. The stack-allocated buffer request->msg_authentication_parameters is written to via snmp_asn1_dec_raw using an attacker-controlled length (tlv.value_len) without first verifying it against SNMP_V3_MAX_AUTH_PARAM_LENGTH. A commented-out assertion (IF_PARSE_ASSERT) that would have enforced this bound was previously disabled.

What the fix does

The patch [patch_id=424426] makes two changes in snmp_parse_inbound_frame. First, it uncomments the assertion IF_PARSE_ASSERT(tlv.value_len <= SNMP_V3_MAX_AUTH_PARAM_LENGTH), which validates that the incoming parameter length does not exceed the maximum allowed value. Second, it changes the third argument to snmp_asn1_dec_raw from tlv.value_len (the attacker-controlled length) to SNMP_V3_MAX_AUTH_PARAM_LENGTH (the safe constant), ensuring that even if the assertion is disabled in release builds, the copy operation is bounded by the actual buffer size. Together these changes prevent writing beyond the stack buffer.

Preconditions

  • networkAttacker must be able to send a crafted SNMPv3 packet to the target device on the network.
  • inputThe SNMPv3 packet must contain a msgAuthenticationParameters field whose length exceeds SNMP_V3_MAX_AUTH_PARAM_LENGTH.

Generated by deepseek/deepseek-v4-flash-20260423 on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.