CVE-2026-47148 | In EmberZNet v9.0.2 and earlier, malformed GetGroupMembershi… | CVSS 7.1 HIGH

Description

In EmberZNet v9.0.2 and earlier, malformed GetGroupMembership commands can trigger repeated reads past the end of the message payload and terminate the process. These messages must come from a device that has already joined the network, and no information leakage back to the sender was observed. Only devices supporting the Groups cluster may be impacted.

Metadata

CVE ID: CVE-2026-47148
State: PUBLISHED
Assigner: Silabs
Reserved: 2026-05-18 20:02 UTC
Published: 2026-06-25 13:37 UTC
Last updated: 2026-06-25 14:15 UTC
Primary CWE: CWE-125
CWE-125: Out-of-bounds Read
Vendor / Product: Silicon Labs / EmberZNet
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Silicon Labs	EmberZNet	—	0 ≤ 9.0.2

Weakness (CWE)

CWE	Source	Description
CWE-125	cna	CWE-125: Out-of-bounds Read

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (2)