cbcvebase.
CVE-2026-8836
published 2026-05-18

CVE-2026-8836: A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.02%
58.9th percentile
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.

Affected

1 ranges
VendorProductVersion rangeFixed in
ubuntulwip

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/apps/snmp/snmp_msg.c
hash0c957ec03054eb6c8205e9c9d1d05d90ada3898c
urlhttps://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c
  • The vulnerable function is `snmp_parse_inbound_frame` in `src/apps/snmp/snmp_msg.c`. Monitor or audit SNMPv3 traffic targeting this code path, specifically manipulation of the `msgAuthenticationParameters` argument which triggers the stack-based buffer overflow.
  • The vulnerability is remotely exploitable — look for anomalous or oversized SNMPv3 USM `msgAuthenticationParameters` fields in inbound SNMP frames (UDP port 161) targeting devices running lwIP up to version 2.2.1.
  • Successful exploitation can result in arbitrary code execution or denial of service. Correlate unexpected crashes or process restarts in lwIP-based services with inbound SNMPv3 traffic as a potential exploitation indicator.
  • ·The vulnerability only affects lwIP deployments with SNMPv3 USM authentication enabled. Deployments not using SNMPv3 are not impacted by this specific issue.
  • ·lwIP is often bundled (not packaged separately) within downstream projects such as ocproxy. Patching requires verifying and updating the bundled copy, not just the system package.
  • ·Affected versions are lwIP up to and including 2.2.1. Verify the exact embedded version in use, as bundled copies may not reflect the system-level package version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.