← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-8836 · CWE-119 · Disclosed 2026-05-18

A vulnerability was found in lwIP up to 2

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a landmine hidden in an optional maintenance hatch, not a hole in every wall

CVE-2026-8836 is a stack-based buffer overflow in lwIP's SNMPv3 USM parsing path, specifically snmp_parse_inbound_frame() in src/apps/snmp/snmp_msg.c. Upstream lwIP versions through 2.2.1 are affected; the fix is a small bounds-checking patch in commit 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. The bug is reachable over the network *if* the device includes the optional SNMP agent code, has SNMPv3 enabled, and exposes that management surface to an attacker.

The vendor-style 9.8 score is technically defensible in a lab because the bug is pre-auth, remote, and memory unsafe. In enterprise reality it overstates fleet-wide urgency: lwIP is a library, not a uniform product, and this flaw sits in an optional SNMPv3 feature that many deployments never compile, never enable, or never expose beyond a management VLAN. That drops this from universal fire-drill territory to a focused but real HIGH.

"Pre-auth network memory corruption, but only on the small slice of lwIP builds that actually ship SNMPv3."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable SNMP listener with nmap or onesixtyone

The attacker first needs UDP/161 reachability to the target and a live SNMP agent. Generic network discovery can identify exposed SNMP services, but it usually cannot prove the target is specifically lwIP or that SNMPv3 is enabled.
Conditions required:
  • Target device is reachable over the network on UDP/161
  • SNMP agent is enabled on the device
Where this breaks in practice:
  • Many enterprises ACL SNMP to NMS subnets only
  • A large share of lwIP deployments do not expose management services externally
  • Internet-wide banners do not reliably fingerprint lwIP
Detection/coverage: Routine vulnerability scanners and asset scans can detect UDP/161 exposure, but not reliably this specific vulnerable parser path.
STEP 02

Confirm the SNMPv3 parsing path with Scapy or a custom SNMPv3 harness

The vulnerable code lives in the SNMPv3 USM handler, so the attacker must hit the v3 message-processing path rather than plain SNMPv1/v2c. A custom packet generator can send malformed v3 frames that exercise msgAuthenticationParameters handling without needing valid credentials.
Conditions required:
  • The build includes the optional SNMP agent
  • SNMPv3 support is compiled and enabled
Where this breaks in practice:
  • Many products embedding lwIP use only the core TCP/IP stack and not SNMP apps
  • Some devices ship SNMPv2c only, or disable SNMPv3 entirely
Detection/coverage: PCAP or IDS can spot malformed or oversized SNMPv3 msgAuthenticationParameters, but signature quality will vary and many embedded networks lack deep packet inspection.
STEP 03

Trigger the overflow in snmp_parse_inbound_frame()

The vulnerable code accepted an attacker-controlled length and copied raw authentication parameters without enforcing the intended maximum. The fix adds an assertion on SNMP_V3_MAX_AUTH_PARAM_LENGTH and changes the decode call to use that bounded size instead of the attacker-supplied length.
Conditions required:
  • Target is running vulnerable upstream code at or before 2.2.1, or an equivalent downstream fork without the patch
  • The malformed packet reaches the parser intact
Where this breaks in practice:
  • Turning a parser crash into reliable RCE on embedded targets is architecture- and compiler-dependent
  • Some downstream vendors may already have silently backported the fix
Detection/coverage: SCA/SBOM tooling and source inspection can detect vulnerable code; network-only scanners usually cannot. On the target, symptoms may be process crash, watchdog reboot, or SNMP service death.
STEP 04

Land impact: likely DoS first, possible device-level code execution

On embedded systems, the most repeatable outcome is often denial of service or a watchdog-triggered reboot. If exploit reliability is achieved, code execution would occur in the management-plane context of the device, which is still valuable because these appliances often sit in trusted network positions.
Conditions required:
  • The target device is operationally important or trusted inside the network
  • Attacker can sustain packet delivery long enough to exploit or crash it
Where this breaks in practice:
  • Blast radius is bounded to devices that both embed lwIP and expose this feature
  • Embedded runtime protections and limited post-exploitation tooling may reduce attacker payoff
Detection/coverage: Look for unexpected device reboots, SNMP polling failures, watchdog events, and monitoring gaps on network gear or OT devices.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo verified public exploitation evidence in the official sources reviewed, and not listed in CISA KEV.
Public PoC availabilityNo public PoC located in the official references reviewed. *Inference:* weaponization effort is low because the upstream fix is a tiny, readable bounds-check patch.
EPSS0.00286 (0.286%) from the user-supplied intel. Percentile not independently verified from a primary EPSS record during this assessment.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities Catalog.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H correctly captures the *technical* path, but it ignores deployment friction: optional SNMP agent, SNMPv3-specific path, and management-plane exposure.
Affected versionsUpstream lwIP through 2.2.1; vulnerable function is snmp_parse_inbound_frame() in src/apps/snmp/snmp_msg.c.
Fixed stateUpstream fix is commit 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. A named upstream release carrying the fix was not verified from the official sources reviewed.
Distro/backport pictureDebian's tracker shows lwip still vulnerable/unfixed in its tracked source-package view at the reviewed snapshot, which is a reminder that downstream package status may lag even when an upstream commit exists.
Exposure realityScanner visibility is weak. This is an embedded library flaw, so internet scanning cannot cleanly count exposed systems; real exposure depends on whether vendors shipped the SNMP agent, enabled SNMPv3, and left UDP/161 reachable.
Disclosure / provenanceNVD shows disclosure on 2026-05-18 with the CVE record sourced from VulDB. The patch commit is authored by 0rbitingZer0 and committed by Simon Goldschmidt.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (7.4/10)

The decisive downgrade factor is reachability population: this is not in the core lwIP data path, it is in the optional SNMPv3 management parser. It stays HIGH because, where that feature is present and reachable, this is still pre-auth remote memory corruption on devices that often sit in trusted network zones and lack strong endpoint controls.

HIGH Technical root cause and affected code path
MEDIUM Real-world exposure prevalence across enterprise fleets
MEDIUM Likelihood of reliable RCE versus crash-only outcomes

Why this verdict

  • Down from 9.8 because this is an optional component, not the core stack — the bug lives in the SNMP app code, so a huge fraction of lwIP consumers are unaffected in practice.
  • Down again because the vulnerable path is SNMPv3-specific — requiring the v3 USM parser narrows the population further versus 'any network packet to any lwIP host'.
  • Still high because attacker position can be unauthenticated remote — once UDP/161 to a vulnerable device is reachable, the parser can be hit without creds or user action.
  • Still high because embedded management surfaces are sticky — these devices often live for years, patch slowly, and sit on flat or trusted management networks where one foothold makes later movement easier.

Why not higher?

This is not a universal lwIP internet-RCE in the way the headline score implies. There is no verified KEV listing, no verified public exploitation evidence in the official sources reviewed, and the reachable population is sharply reduced by optional-feature and management-plane exposure requirements.

Why not lower?

Calling this MEDIUM would underweight the fact that the bug is still pre-auth, network reachable, and memory unsafe when the feature is present. On embedded network gear or OT-adjacent devices, even crash-only exploitation can have outsized operational impact, and successful code execution would land inside a trusted appliance context.

05 · Compensating Control

What to do — in priority order.

  1. Restrict UDP/161 now — Apply ACLs so SNMP is reachable only from your management servers and jump networks. For a HIGH verdict, deploy this within 30 days; if you already know a vulnerable device is internet- or user-segment-exposed, do it immediately rather than waiting.
  2. Disable SNMPv3 where unused — If the product allows disabling the SNMP agent or SNMPv3 specifically, turn it off on systems that do not require it. This removes the vulnerable parser path entirely and should be completed within 30 days.
  3. Segment management planes — Move affected devices behind dedicated management VLANs or out-of-band networks and block SNMP from workstation/user segments. For HIGH, this is a within-30-days mitigation because it shrinks attacker reach even if patching is delayed.
  4. Monitor for device instability — Add alerts for unexpected reboots, SNMP polling failures, watchdog resets, and disappearing devices. Do this within 30 days so you can catch crash-oriented exploitation or testing while the fleet is being remediated.
What doesn't work
  • MFA does nothing here because the vulnerable parser is hit before any normal admin login workflow.
  • Relying on SNMPv3 auth/privacy settings alone is not enough; the flaw is in parsing the authentication parameters themselves.
  • Traditional EDR on laptops and servers is mostly irrelevant because many affected targets are embedded devices or appliances with no host sensor.
06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation, CI job, or build host against an extracted firmware source tree or vendor SDK that contains lwIP sources. Invoke it as python3 verify_lwip_cve_2026_8836.py /path/to/lwip with read access only; no admin privileges are required.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# verify_lwip_cve_2026_8836.py
# Detects the vulnerable vs patched SNMPv3 auth-parameter length handling in lwIP.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import re
import sys

VULN_FILE = os.path.join('src', 'apps', 'snmp', 'snmp_msg.c')

VULN_PATTERNS = [
    r'/\*\s*IF_PARSE_ASSERT\(tlv\.value_len\s*<=\s*SNMP_V3_MAX_AUTH_PARAM_LENGTH\);\s*\*/',
    r'&u16_value\s*,\s*tlv\.value_len\s*\)\s*;'
]

PATCH_PATTERNS = [
    r'IF_PARSE_ASSERT\(tlv\.value_len\s*<=\s*SNMP_V3_MAX_AUTH_PARAM_LENGTH\);',
    r'&u16_value\s*,\s*SNMP_V3_MAX_AUTH_PARAM_LENGTH\s*\)\s*;'
]


def load_file(root):
    path = os.path.join(root, VULN_FILE)
    if not os.path.isfile(path):
        return None, path
    try:
        with open(path, 'r', encoding='utf-8', errors='ignore') as f:
            return f.read(), path
    except Exception:
        return None, path


def main():
    if len(sys.argv) != 2:
        print('UNKNOWN - usage: python3 verify_lwip_cve_2026_8836.py /path/to/lwip')
        sys.exit(2)

    root = sys.argv[1]
    text, path = load_file(root)
    if text is None:
        print(f'UNKNOWN - could not read expected source file: {path}')
        sys.exit(2)

    vuln_hits = all(re.search(p, text, re.MULTILINE) for p in VULN_PATTERNS)
    patch_hits = all(re.search(p, text, re.MULTILINE) for p in PATCH_PATTERNS)

    if patch_hits and not vuln_hits:
        print(f'PATCHED - fixed bounds checks found in {path}')
        sys.exit(0)

    if vuln_hits and not patch_hits:
        print(f'VULNERABLE - vulnerable auth-parameter length handling found in {path}')
        sys.exit(1)

    # Mixed or unrecognized code: could be vendor backport, refactor, or unrelated fork.
    print(f'UNKNOWN - unable to classify {path}; inspect handling of SNMP_V3_MAX_AUTH_PARAM_LENGTH and snmp_asn1_dec_raw() manually')
    sys.exit(2)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat this as a generic lwIP panic patch across all 10,000 hosts; treat it as a targeted hunt for embedded devices and firmware that both embed lwIP and expose SNMPv3. Inventory anything listening on UDP/161, confirm whether the product actually uses the vulnerable SNMPv3 code path, then apply ACLs or disable SNMPv3 within the noisgate mitigation SLA of 30 days for this HIGH finding, and complete firmware patching or vendor image replacement within the noisgate remediation SLA of 180 days. If you discover internet-exposed or user-segment-exposed affected devices, accelerate both steps immediately even without KEV evidence.

Sources

  1. NVD CVE-2026-8836
  2. Upstream fix commit
  3. lwIP repository README
  4. lwIP SNMPv2c/v3 agent documentation
  5. lwIP SNMPv3 header documentation
  6. Debian CVE tracker entry
  7. Debian source package tracker for lwip
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.