CVE-2026-8836
published 2026-05-18CVE-2026-8836: A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.02%
58.9th percentile
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ubuntu | lwip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable function is `snmp_parse_inbound_frame` in `src/apps/snmp/snmp_msg.c`. Monitor or audit SNMPv3 traffic targeting this code path, specifically manipulation of the `msgAuthenticationParameters` argument which triggers the stack-based buffer overflow. ↗
- →The vulnerability is remotely exploitable — look for anomalous or oversized SNMPv3 USM `msgAuthenticationParameters` fields in inbound SNMP frames (UDP port 161) targeting devices running lwIP up to version 2.2.1. ↗
- →Successful exploitation can result in arbitrary code execution or denial of service. Correlate unexpected crashes or process restarts in lwIP-based services with inbound SNMPv3 traffic as a potential exploitation indicator. ↗
- ·The vulnerability only affects lwIP deployments with SNMPv3 USM authentication enabled. Deployments not using SNMPv3 are not impacted by this specific issue. ↗
- ·lwIP is often bundled (not packaged separately) within downstream projects such as ocproxy. Patching requires verifying and updating the bundled copy, not just the system package. ↗
- ·Affected versions are lwIP up to and including 2.2.1. Verify the exact embedded version in use, as bundled copies may not reflect the system-level package version. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3w8m-3w76-f6mh: A vulnerability was found in lwIP up to 2
ghsa_unreviewed·2026-05-18
CVE-2026-8836 [CRITICAL] CWE-119 GHSA-3w8m-3w76-f6mh: A vulnerability was found in lwIP up to 2
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.
VulDB
lwIP up to 2.2.1 snmpv3 USM src/apps/snmp/snmp_msg.c snmp_parse_inbound_frame msgAuthenticationParameters stack-based overflow (Bug 68194)
vuldb·2026-05-18·CVSS 9.3
CVE-2026-8836 [CRITICAL] lwIP up to 2.2.1 snmpv3 USM src/apps/snmp/snmp_msg.c snmp_parse_inbound_frame msgAuthenticationParameters stack-based overflow (Bug 68194)
A vulnerability marked as critical has been reported in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow.
This vulnerability was named CVE-2026-8836. The attack may be initiated remotely. There is no available exploit.
It is suggested to install a patch to address this issue.
Ubuntu
lwIP vulnerabilities
vendor_ubuntu·2026-06-11·CVSS 7.5
CVE-2026-8836 [HIGH] lwIP vulnerabilities
Title: lwIP vulnerabilities
Summary: Several security issues were fixed in lwIP.
It was discovered that lwIP contained a buffer overflow in the EAP
authentication handling code. An attacker could possibly use this issue
to trigger a buffer overflow, resulting in arbitrary code execution or a
denial of service. This issue only affected Ubuntu 20.04 LTS.
(CVE-2020-8597)
It was discovered that lwIP incorrectly handled certain ICMPv6 or
6LoWPAN packets. An attacker could possibly use this issue to trigger a
buffer overflow, resulting in information disclosure. This issue only
affected Ubuntu 20.04 LTS. (CVE-2020-22283, CVE-2020-22284)
It was discovered that lwIP did not properly validate certain SNMPv3
authentication parameters. An attacker could possibly use this issue to
trigger a stack-
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-8836 ocproxy: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler [epel-all]
bugzilla·2026-05-19·CVSS 9.3
CVE-2026-8836 [CRITICAL] CVE-2026-8836 ocproxy: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler [epel-all]
CVE-2026-8836 ocproxy: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
There is no package in epel10. Do you mean epel8 instead?
Bugzilla
CVE-2026-8836 ocproxy: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler [fedora-all]
bugzilla·2026-05-19·CVSS 9.3
CVE-2026-8836 [CRITICAL] CVE-2026-8836 ocproxy: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler [fedora-all]
CVE-2026-8836 ocproxy: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Upstream has fixed.
https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c
Todo unbundle lwip into separate package with patches applied, there are also another security issues.
Bugzilla
CVE-2026-8836 lwip: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler
bugzilla·2026-05-18·CVSS 9.3
CVE-2026-8836 [CRITICAL] CVE-2026-8836 lwip: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler
CVE-2026-8836 lwip: lwIP: Remote code execution via stack-based buffer overflow in SNMPv3 USM Handler
A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.
https://cgit.git.savannah.gnu.org/cgit/lwip.git/commit/?id=0c957ec03054eb6c8205e9c9d1d05d90ada3898chttps://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898chttps://savannah.nongnu.org/bugs/?68194https://vuldb.com/submit/829798https://vuldb.com/vuln/364474https://vuldb.com/vuln/364474/cti
2026-05-18
Published