Preface: IoT manufacturers are very willing to use lwIP (Lightweight IP) in firmware, and it is widely used in commercial IoT products. It is a dominant TCP/IP stack in the embedded space because it provides a full-featured networking stack (TCP, UDP, DHCP, DNS) while being highly optimized for resource-constrained, low-power devices.
Even though firmware allocate an lwIP pbuf to hold the payload in RAM
[// PBUF_TRANSPORT automatically reserves space for UDP/IP headers]
If your firmware explicitly uses SNMPv3 alongside your Wake-on-LAN feature, you must apply the patch.
Background: Inbound parsing and outbound allocation are two completely different memory directions (see below):
Outbound – When you call pbuf_alloc(PBUF_TRANSPORT, …), you are allocating memory for an outgoing packet. This works perfectly and securely for transmitting your Magic Packet.
Inbound – When an SNMPv3 management command comes into your device, lwIP allocates an incoming pbuf automatically to hold the raw network packet. The vulnerability happens after allocation, during the parsing phase inside snmp_msg[.]c.
Why CVE-2026-8836 Bypasses Pbuf Protection
The flaw is a stack-based buffer overflow, not a pbuf heap overflow.
i.When a remote user sends an SNMPv3 packet, the function snmp_parse_inbound_frame sets up a fixed-size array on the CPU stack called request->msg_authentication_parameters. This buffer is hardcoded to a maximum size of SNMP_V3_MAX_AUTH_PARAM_LENGTH (usually 32 bytes).
ii.The unpatched code uses the variable tlv.value_len (which comes directly from the untrusted incoming packet header) to decide how many bytes to decode into that stack array.
iii.An attacker can craft a malicious SNMPv3 packet stating that the authentication data is 100 bytes long. Because the check was commented out (/* IF_PARSE_ASSERT(…) */), lwIP blindly executes snmp_asn1_dec_raw and writes all 100 bytes into the 32-byte stack buffer, smashing the CPU stack, corrupting the return address, and crashing your chip or allowing remote code execution.
Vulnerability details: A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely.
Remedy: The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue.
Official announcement: Please refer to link for details –