1470 matches found
CVE-2026-10665
In Zephyr's WireGuard subsystem subsys/net/lib/wireguard, wgprocessdatamessage in wgcrypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIGWIREGUARDBUFLEN bytes before decryption. The call netbuflinearizebuf-data, datalen, pkt-buffer, ..., datalen passed the...
CVE-2026-10666
parseipv4 in subsys/net/ip/utils.c reached via netipaddrparse for strings of the form "a.b.c.d:port" copies the port substring into a fixed 17-byte stack buffer char ipaddrNETIPV4ADDRLEN + 1 using a length of strlen - end - 1, where strlen is the full, unbounded input length and end is only the...
CVE-2026-10667
Zephyr's dynamic kernel-object tracking kernel/userspace/userspace.c, formerly kernel/userspace.c maintains a doubly-linked list objlist of dynamically allocated kernel objects. Iteration over this list in kobjectwordlistforeach was performed under listslock using the SAFE iterator which caches t...
CVE-2026-10663
In Zephyr's experimental USB host stack CONFIGUSBHOSTSTACK, usbhdevicedisconnect subsys/usb/host/usbhdevice.c freed the root usbdevice slab object without clearing the cached pointer ctx-root. The bus removal handler devremovedhandler subsys/usb/host/usbhcore.c decides what to tear down solely fr...
CVE-2026-10666 Stack buffer overflow in `net_ipaddr_parse()` IPv4 address-with-port parsing in `subsys/net/ip/utils.c`
parseipv4 in subsys/net/ip/utils.c reached via netipaddrparse for strings of the form "a.b.c.d:port" copies the port substring into a fixed 17-byte stack buffer char ipaddrNETIPV4ADDRLEN + 1 using a length of strlen - end - 1, where strlen is the full, unbounded input length and end is only the...
CVE-2026-10667 SMP use-after-free in Zephyr `CONFIG_USERSPACE` dynamic kernel-object tracking, reachable from unprivileged user threads
Zephyr's dynamic kernel-object tracking kernel/userspace/userspace.c, formerly kernel/userspace.c maintains a doubly-linked list objlist of dynamically allocated kernel objects. Iteration over this list in kobjectwordlistforeach was performed under listslock using the SAFE iterator which caches t...
CVE-2026-10666 Stack buffer overflow in `net_ipaddr_parse()` IPv4 address-with-port parsing in `subsys/net/ip/utils.c`
parseipv4 in subsys/net/ip/utils.c reached via netipaddrparse for strings of the form "a.b.c.d:port" copies the port substring into a fixed 17-byte stack buffer char ipaddrNETIPV4ADDRLEN + 1 using a length of strlen - end - 1, where strlen is the full, unbounded input length and end is only the...
CVE-2026-10667 SMP use-after-free in Zephyr `CONFIG_USERSPACE` dynamic kernel-object tracking, reachable from unprivileged user threads
Zephyr's dynamic kernel-object tracking kernel/userspace/userspace.c, formerly kernel/userspace.c maintains a doubly-linked list objlist of dynamically allocated kernel objects. Iteration over this list in kobjectwordlistforeach was performed under listslock using the SAFE iterator which caches t...
CVE-2026-10665
CVE-2026-10665 concerns Zephyr’s WireGuard implementation (subsys/net/lib/wireguard). The flaw: wg_process_data_message() linearizes an inbound payload into a fixed pool buffer, passing the attacker-controlled data_len as both the destination capacity and copy length to net_buf_linearize, ignorin...
CVE-2026-10665 Heap buffer overflow on WireGuard receive path via unbounded incoming packet length
In Zephyr's WireGuard subsystem subsys/net/lib/wireguard, wgprocessdatamessage in wgcrypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIGWIREGUARDBUFLEN bytes before decryption. The call netbuflinearizebuf-data, datalen, pkt-buffer, ..., datalen passed the...
CVE-2026-10665 Heap buffer overflow on WireGuard receive path via unbounded incoming packet length
In Zephyr's WireGuard subsystem subsys/net/lib/wireguard, wgprocessdatamessage in wgcrypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIGWIREGUARDBUFLEN bytes before decryption. The call netbuflinearizebuf-data, datalen, pkt-buffer, ..., datalen passed the...
CVE-2026-10663 Use-after-free / double-free of the root USB device in the experimental USB host stack
In Zephyr's experimental USB host stack CONFIGUSBHOSTSTACK, usbhdevicedisconnect subsys/usb/host/usbhdevice.c freed the root usbdevice slab object without clearing the cached pointer ctx-root. The bus removal handler devremovedhandler subsys/usb/host/usbhcore.c decides what to tear down solely fr...
CVE-2026-10663 Use-after-free / double-free of the root USB device in the experimental USB host stack
In Zephyr's experimental USB host stack CONFIGUSBHOSTSTACK, usbhdevicedisconnect subsys/usb/host/usbhdevice.c freed the root usbdevice slab object without clearing the cached pointer ctx-root. The bus removal handler devremovedhandler subsys/usb/host/usbhcore.c decides what to tear down solely fr...
PT-2026-57567
Name of the Vulnerable Software and Affected Versions Zephyr version 4.4.0 Description An out-of-bounds write exists in the WireGuard subsystem within the wg process data message function located in wg crypto.c. The issue occurs when an inbound transport-data payload is linearized into a fixed po...
CVE-2026-10660
The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bapbroadcastassistant.c reassembled remote Broadcast Receive State data into a single file-static netbufsimple attbuf, BTATTMAXATTRIBUTELEN = 512 bytes shared by all connection instances, while the BUSY flag, long-read...
CVE-2026-10660
The CVE-2026-10660 issue affects the Zephyr Bluetooth BAP Broadcast Assistant GATT client (subsys/bluetooth/audio/bap_broadcast_assistant.c). A single static net_buf_simple buffer (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512) is shared across all connections; per-connection state (BUSY flag, long-rea...
CVE-2026-10659
The CVE concerns Zephyr’s Dhara FTL disk driver (drivers/disk/ftl_dhara.c). On flash read errors, the driver previously wrote error codes unconditionally to a caller-supplied err pointer, and the journal-resume path forwarded NULL into dhara_nand_read(), causing a NULL dereference during disk ini...
CVE-2026-10659 NULL pointer dereference in Zephyr Dhara FTL disk driver on flash read error during journal resume
The Dhara flash translation layer disk driver drivers/disk/ftldhara.c implemented the dharanand callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dharaerrort err pointer e.g. err = DHARAEECC in dharanandread, and similar in...
CVE-2026-10659 NULL pointer dereference in Zephyr Dhara FTL disk driver on flash read error during journal resume
The Dhara flash translation layer disk driver drivers/disk/ftldhara.c implemented the dharanand callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dharaerrort err pointer e.g. err = DHARAEECC in dharanandread, and similar in...
CVE-2026-10659
The Dhara flash translation layer disk driver drivers/disk/ftldhara.c implemented the dharanand callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dharaerrort err pointer e.g. err = DHARAEECC in dharanandread, and similar in...