## https://sploitus.com/exploit?id=ADBF658F-9EFF-5496-90A2-4108435C10AB
# lwip-2026-pocs
Proof-of-concept exploits from the [xchglabs](https://xchglabs.com)
2026 security audit of the [lwIP](https://savannah.nongnu.org/projects/lwip/)
TCP/IP stack (v2.2.1, tag `STABLE-2_2_1_RELEASE`, and current `master`).
The audit produced **thirteen** distinct vulnerabilities across the SMTP
client, DNS resolver, DHCP machinery, HTTP/MQTT/SNMP apps, and the core
IP stack. Each finding gets its own subdirectory in this repository as
its upstream fix lands. The remaining twelve findings are reported to
the lwIP maintainers and we are actively working with them on patches;
PoCs will be published here as each is disclosed.
| # | Subdirectory | Vulnerability | Upstream | Status |
| -- | --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------- | ----------- |
| 01 | [`01-smtp-auth-overflow/`](01-smtp-auth-overflow/) | SMTP client `tx_buf` overflow via server-controlled `AUTH` line | [Savannah #68313](https://savannah.nongnu.org/bugs/?68313) | Disclosed |
## Layout
Each subdirectory is self-contained:
```
NN-short-name/
โโโ README.md <- root-cause writeup + build/run instructions
โโโ setup.sh <- fetches the upstream lwIP tarball the harness needs
โโโ harness/ <- end-to-end PoC built against unmodified lwIP source
โโโ standalone/ <- minimal self-contained reproducer (usually ASan)
โโโ patch/ <- one-line / minimal fix submitted upstream
```
## Reading order
Each finding's `README.md` links to the corresponding blog post on
[xchglabs.com/blog](https://xchglabs.com/blog) for the full root-cause
analysis, exploitation notes, and impact discussion. The README in this
repo is the build-and-run reference; the blog post is the writeup.
## Reporting
All findings have been reported to the lwIP maintainers via Savannah.
Please do not contact xchglabs about lwIP-specific bug fixes โ those
belong upstream. For questions about the PoCs themselves, the audit
methodology, or research collaboration:
[contact@xchglabs.com](mailto:contact@xchglabs.com).
## License
The PoC harnesses, drivers, and shims in this repository are released
under the [BSD-3-Clause](LICENSE) license, matching upstream lwIP.
Upstream lwIP source fetched by `setup.sh` retains its own BSD-3-Clause
license from the [lwIP project](https://savannah.nongnu.org/projects/lwip/).