Skip to main content

Zephyr RTOS CVE-2026-10644

| EUVDEUVD-2026-39979 LOW
Out-of-bounds Write (CWE-787)
2026-06-28 zephyr
3.1
CVSS 3.1 · NVD

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
3.1 LOW
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
4.2 MEDIUM

Adjacent vector and AC:H confirmed by serial-line access requirement plus non-default async config and timing dependency; no confidentiality impact from write-only single-byte corruption.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Severity Changed
Jul 06, 2026 - 19:52 NVD
MEDIUM LOW
CVSS changed
Jul 06, 2026 - 19:52 NVD
4.2 (MEDIUM) 3.1 (LOW)
Source Code Evidence Fetched
Jun 28, 2026 - 05:15 vuln.today
Analysis Generated
Jun 28, 2026 - 05:15 vuln.today

DescriptionNVD

The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous (DMA) receive path. When uart_rx_enable() is invoked with a one-byte receive buffer (len == 1) and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR starts a single-beat DMA transfer while a received byte is already pending in the SERCOM DATA register. On this SoC the peripheral-triggered DMA start sequencing then writes one byte past the end of the caller-supplied buffer (CWE-787). The overflowed byte's value is the UART RX data supplied by the connected serial peer (adjacent attacker), while its size and location are fixed at one byte immediately after the buffer. Exploitation requires the async UART config (not enabled by default on the in-tree PIC32CM-JH boards) and a consumer that enables RX with a one-byte buffer; impact is limited single-byte memory corruption adjacent to the RX buffer (possible crash / denial of service). The defect shipped in v4.4.0. The fix reads the first byte with the CPU and, for one-byte buffers, performs no DMA at all; for larger buffers it sizes the DMA for the remaining len-1 bytes.

AnalysisAI

Out-of-bounds write in Zephyr RTOS's Microchip SERCOM-G1 UART driver (introduced in v4.4.0) allows an adjacent attacker who can send serial data to corrupt one byte of memory immediately beyond the caller-supplied RX buffer, potentially causing a crash or denial of service. The flaw exists only when CONFIG_UART_MCHP_ASYNC is enabled (non-default on in-tree PIC32CM-JH board configs) and the consuming application calls uart_rx_enable() with a one-byte buffer - a narrow but real embedded firmware scenario. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain serial line access to target device
Delivery
Confirm CONFIG_UART_MCHP_ASYNC firmware build
Exploit
Send byte during uart_rx_enable with 1-byte buffer
Execution
ISR triggers DMA with pending DATA register byte
Persist
DMA writes one byte past buffer end
Impact
Adjacent memory corruption causes crash or DoS

Vulnerability AssessmentAI

Exploitation Four specific conditions must all be satisfied simultaneously: (1) firmware must be compiled with CONFIG_UART_MCHP_ASYNC=y - this is explicitly not the default for in-tree PIC32CM-JH board configurations; (2) the application layer must call uart_rx_enable() with a receive buffer of exactly one byte (len == 1); (3) the attacker must have physical or logical serial line access to the target device's UART peripheral - network-remote exploitation is not possible; (4) a received byte must be pending in the SERCOM DATA register at the precise moment the RX-complete ISR fires, introducing a timing dependency that raises practical exploitation difficulty. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.2 (Medium) with vector AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L accurately reflects the constrained real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a serial connection to a PIC32CM-JH device running Zephyr firmware compiled with CONFIG_UART_MCHP_ASYNC enabled transmits a byte at the moment the firmware's RX path calls uart_rx_enable() with a 1-byte buffer, ensuring a byte is pending in the SERCOM DATA register when the RX-complete ISR fires. The DMA transfer then writes the attacker-supplied byte value to the memory location immediately following the receive buffer, corrupting adjacent memory. …
Remediation Apply the upstream fix from commit 5251d2bc0070be801769fb7ce7b9066fef5d9f81 (https://github.com/zephyrproject-rtos/zephyr/commit/5251d2bc0070be801769fb7ce7b9066fef5d9f81), which restructures the async RX ISR to read the first incoming byte directly via CPU and bypasses DMA entirely for 1-byte buffers; a specific patched tagged release version was not confirmed in the available data, so monitor the Zephyr project release page for a version incorporating this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy