Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Adjacent vector and AC:H confirmed by serial-line access requirement plus non-default async config and timing dependency; no confidentiality impact from write-only single-byte corruption.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionNVD
The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous (DMA) receive path. When uart_rx_enable() is invoked with a one-byte receive buffer (len == 1) and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR starts a single-beat DMA transfer while a received byte is already pending in the SERCOM DATA register. On this SoC the peripheral-triggered DMA start sequencing then writes one byte past the end of the caller-supplied buffer (CWE-787). The overflowed byte's value is the UART RX data supplied by the connected serial peer (adjacent attacker), while its size and location are fixed at one byte immediately after the buffer. Exploitation requires the async UART config (not enabled by default on the in-tree PIC32CM-JH boards) and a consumer that enables RX with a one-byte buffer; impact is limited single-byte memory corruption adjacent to the RX buffer (possible crash / denial of service). The defect shipped in v4.4.0. The fix reads the first byte with the CPU and, for one-byte buffers, performs no DMA at all; for larger buffers it sizes the DMA for the remaining len-1 bytes.
AnalysisAI
Out-of-bounds write in Zephyr RTOS's Microchip SERCOM-G1 UART driver (introduced in v4.4.0) allows an adjacent attacker who can send serial data to corrupt one byte of memory immediately beyond the caller-supplied RX buffer, potentially causing a crash or denial of service. The flaw exists only when CONFIG_UART_MCHP_ASYNC is enabled (non-default on in-tree PIC32CM-JH board configs) and the consuming application calls uart_rx_enable() with a one-byte buffer - a narrow but real embedded firmware scenario. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Four specific conditions must all be satisfied simultaneously: (1) firmware must be compiled with CONFIG_UART_MCHP_ASYNC=y - this is explicitly not the default for in-tree PIC32CM-JH board configurations; (2) the application layer must call uart_rx_enable() with a receive buffer of exactly one byte (len == 1); (3) the attacker must have physical or logical serial line access to the target device's UART peripheral - network-remote exploitation is not possible; (4) a received byte must be pending in the SERCOM DATA register at the precise moment the RX-complete ISR fires, introducing a timing dependency that raises practical exploitation difficulty. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.2 (Medium) with vector AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L accurately reflects the constrained real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a serial connection to a PIC32CM-JH device running Zephyr firmware compiled with CONFIG_UART_MCHP_ASYNC enabled transmits a byte at the moment the firmware's RX path calls uart_rx_enable() with a 1-byte buffer, ensuring a byte is pending in the SERCOM DATA register when the RX-complete ISR fires. The DMA transfer then writes the attacker-supplied byte value to the memory location immediately following the receive buffer, corrupting adjacent memory. … |
| Remediation | Apply the upstream fix from commit 5251d2bc0070be801769fb7ce7b9066fef5d9f81 (https://github.com/zephyrproject-rtos/zephyr/commit/5251d2bc0070be801769fb7ce7b9066fef5d9f81), which restructures the async RX ISR to read the first incoming byte directly via CPU and bypasses DMA entirely for 1-byte buffers; a specific patched tagged release version was not confirmed in the available data, so monitor the Zephyr project release page for a version incorporating this commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39979