Share
## https://sploitus.com/exploit?id=ADBF658F-9EFF-5496-90A2-4108435C10AB
# lwip-2026-pocs

Proof-of-concept exploits from the [xchglabs](https://xchglabs.com)
2026 security audit of the [lwIP](https://savannah.nongnu.org/projects/lwip/)
TCP/IP stack (v2.2.1, tag `STABLE-2_2_1_RELEASE`, and current `master`).

The audit produced **thirteen** distinct vulnerabilities across the SMTP
client, DNS resolver, DHCP machinery, HTTP/MQTT/SNMP apps, and the core
IP stack. Each finding gets its own subdirectory in this repository as
its upstream fix lands. The remaining twelve findings are reported to
the lwIP maintainers and we are actively working with them on patches;
PoCs will be published here as each is disclosed.

| #  | Subdirectory                | Vulnerability                                                                 | Upstream                                              | Status      |
| -- | --------------------------- | ----------------------------------------------------------------------------- | ----------------------------------------------------- | ----------- |
| 01 | [`01-smtp-auth-overflow/`](01-smtp-auth-overflow/) | SMTP client `tx_buf` overflow via server-controlled `AUTH` line             | [Savannah #68313](https://savannah.nongnu.org/bugs/?68313) | Disclosed   |

## Layout

Each subdirectory is self-contained:

```
NN-short-name/
โ”œโ”€โ”€ README.md              <- root-cause writeup + build/run instructions
โ”œโ”€โ”€ setup.sh               <- fetches the upstream lwIP tarball the harness needs
โ”œโ”€โ”€ harness/               <- end-to-end PoC built against unmodified lwIP source
โ”œโ”€โ”€ standalone/            <- minimal self-contained reproducer (usually ASan)
โ””โ”€โ”€ patch/                 <- one-line / minimal fix submitted upstream
```

## Reading order

Each finding's `README.md` links to the corresponding blog post on
[xchglabs.com/blog](https://xchglabs.com/blog) for the full root-cause
analysis, exploitation notes, and impact discussion. The README in this
repo is the build-and-run reference; the blog post is the writeup.

## Reporting

All findings have been reported to the lwIP maintainers via Savannah.
Please do not contact xchglabs about lwIP-specific bug fixes โ€” those
belong upstream. For questions about the PoCs themselves, the audit
methodology, or research collaboration:
[contact@xchglabs.com](mailto:contact@xchglabs.com).

## License

The PoC harnesses, drivers, and shims in this repository are released
under the [BSD-3-Clause](LICENSE) license, matching upstream lwIP.
Upstream lwIP source fetched by `setup.sh` retains its own BSD-3-Clause
license from the [lwIP project](https://savannah.nongnu.org/projects/lwip/).