Out-of-Bounds Read Vulnerability in Eclipse TinyDTLS Affects Unauthenticated Users
CVE-2026-9267

6.9MEDIUM

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Tinydtls
Vendor: CVE Published:; 29 June 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-9267?

Eclipse TinyDTLS prior to commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 is affected by an out-of-bounds read vulnerability within the check_server_certificate() function. This flaw allows unauthenticated attackers to manipulate Certificate handshake messages by specifying a fragment_length value that triggers out-of-bounds reads. The absence of proper buffer length validation prior to memory operations such as uint24 reads and comparisons can lead to denial of service, particularly impacting memory-constrained devices during DTLS epoch 0. Ensuring timely patching is crucial to mitigate these risks.

Affected Version(s)

Eclipse tinydtls 0

References

https://gitlab.eclipse.org/security/cve-assignment/-/work...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
May 22, 2026

Credit

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.

CVE-2026-9267 Data

JSON