## https://sploitus.com/exploit?id=BA80B217-96D1-5CD2-A769-98B7CC6179E5
# CVE-2026-8836 โ lwIP SNMPv3 Stack Overflow PoC
Proof of concept exploit for CVE-2026-8836, a critical stack-based buffer overflow in lwIP's SNMPv3 USM handler.
## Vulnerability
- **CVE**: CVE-2026-8836
- **CVSS**: 9.8 Critical
- **Component**: `snmp_parse_inbound_frame()` in `src/apps/snmp/snmp_msg.c`
- **Root Cause**: Commented-out bounds check + incorrect buffer-size parameter in `snmp_asn1_dec_raw()`
- **Buffer**: `msg_authentication_parameters[12]` (SNMP_V3_MAX_AUTH_PARAM_LENGTH = 12)
- **Affected**: lwIP <= 2.2.1 with `LWIP_SNMP_V3` enabled
- **Fix**: [commit 0c957ec0](https://github.com/lwip-tcpip/lwip/commit/0c957ec03054eb6c8205e9c9d1d05d90ada3898c)
## Full Article
https://www.hunt-benito.com/lwip-snmpv3-stack-overflow-cve-2026-8836-critical-embedded-rce/
## Usage
```bash
python exploit.py --target 192.168.1.100 --port 161 --overflow-size 256
```
### With custom payload
```bash
python exploit.py --target 192.168.1.100 --overflow-size 4096 --payload-file shellcode.bin
```
### Multiple packets
```bash
python exploit.py --target 192.168.1.100 --count 10 --delay 0.5
```
## How It Works
The exploit constructs a valid SNMPv3 message with an oversized `msgAuthenticationParameters` OCTET STRING in the USM security parameters. The TLV length is set to a value larger than 12 bytes (the actual buffer size), which bypasses the internal bounds check because the vulnerable code passes `tlv.value_len` as both the read length *and* the buffer maximum length.
## Disclaimer
This tool is provided for authorized security research and educational purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The authors assume no liability and are not responsible for any misuse or damage caused by this tool.