CVE-2026-9267
MediumCVSS 6.9Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function. An unauthenticated attacker can trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value.
Risk Assessment
Attackers can exploit missing buffer length validation before uint24 reads, memcmp, and memcpy operations during DTLS epoch 0, causing denial of service on memory-constrained devices.
Recommendation
Update Eclipse tinydtls to a version containing commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 or later immediately.
Original NVD description (English source)
Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function that allows unauthenticated attackers to trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value. Attackers can exploit missing buffer length validation before uint24 reads, memcmp, and memcpy operations during DTLS epoch 0 on both client and server paths to cause denial of service on memory-constrained devices.

