Skip to main content

Zephyr RTOS CVE-2026-10645

MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-22 zephyr
5.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
vuln.today AI
4.9 MEDIUM

Physical media delivery required (AV:P); mount and traversal constitute user interaction (UI:R); OOB read yields low confidentiality, no integrity impact, but crash/infinite-loop yields high availability loss.

3.1 AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
CVSS changed
Jul 06, 2026 - 19:52 NVD
4.9 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jun 23, 2026 - 00:43 vuln.today

DescriptionNVD

Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then copies the name with memcpy without validating the structural relationship between de_rec_len, de_name_len, and the directory block boundary (for example that de_rec_len is non-zero, at least the size of the entry header, and that the record fits within the block). Callers such as find_dir_entry() and ext2_get_direntry() (subsys/fs/ext2/ext2_impl.c) then advance traversal using the unvalidated de_rec_len. A crafted ext2 image can therefore cause an out-of-bounds read from the directory block buffer when a malformed entry near the end of a block triggers an oversized name copy, or a zero-progress infinite loop when de_rec_len == 0. The issue is not reached at mount time but later through directory traversal paths such as pathname lookup, stat/open/unlink/rename, and readdir. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media.

AnalysisAI

Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious ext2 disk image
Delivery
Physically deliver media to target device
Exploit
Device mounts ext2 volume
Execution
Trigger directory traversal operation
Persist
ext2_fetch_direntry uses unvalidated de_rec_len/de_name_len
Impact
Out-of-bounds read or infinite loop causes DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Zephyr device has ext2 filesystem support compiled into the build and that the attacker can physically supply a removable storage medium (e.g., SD card, USB mass storage) formatted as a crafted ext2 image to the device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.9 (Medium) with vector AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H accurately reflects the constrained real-world attack surface: physical media access is required (AV:P), and a user or system process must mount the crafted image and then perform directory traversal (UI:R). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious ext2 disk image containing a directory block with a directory entry near the end of the block where de_name_len is set to a value that, combined with the entry's position, exceeds the block boundary, or sets de_rec_len to zero. The attacker physically delivers this media (e.g., an SD card or USB drive) to a Zephyr-based IoT device that auto-mounts removable storage. …
Remediation Consult the Zephyr project's GitHub Security Advisory (GHSA-hwrh-9h3x-vccm) for the authoritative patch version, as no specific fixed release version was included in the available intelligence data; the patch status is therefore 'upstream fix available per vendor advisory - patched release version not independently confirmed.' Developers and integrators should update to the latest Zephyr release and monitor the advisory for a confirmed fix tag. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy