Skip to main content

Zephyr RTOS CVE-2026-10665

| EUVDEUVD-2026-43242 HIGH
Out-of-bounds Write (CWE-787)
2026-07-12 zephyr
7.4
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
7.4 HIGH

Network-reachable via UDP (AV:N); only a session index, not an authenticator, is needed pre-auth (PR:N); overflow needs non-default buffer/MTU or fragment conditions (AC:H); memory corruption and DoS give I:H/A:H with no disclosure (C:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 17:26 vuln.today

DescriptionCVE.org

In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call net_buf_linearize(buf->data, data_len, pkt->buffer, ..., data_len) passed the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst_len) bound. data_len is derived from the received UDP datagram length and is only lower-bounded by wg_ctrl_recv() (no upper bound). When data_len exceeds CONFIG_WIREGUARD_BUF_LEN - e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it - the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to pass net_buf_max_len(buf) as the destination capacity.

AnalysisAI

Out-of-bounds write in the WireGuard subsystem of Zephyr RTOS 4.4.0 lets a malicious or compromised WireGuard peer (or an on-path attacker driving an established session) corrupt memory by sending an oversized transport-data datagram. Because the flawed copy occurs before the Poly1305 authentication check, exploitation needs only a valid receiver session index rather than a valid authenticator, and reliably yields at least a remote denial of service on the target device. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid WireGuard receiver session index
Delivery
Craft oversized transport-data UDP datagram
Exploit
data_len passed as both capacity and length
Execution
memcpy writes past pool buffer pre-auth
Impact
Remote memory corruption and device denial of service

Vulnerability AssessmentAI

Exploitation Requires the Zephyr WireGuard subsystem to be enabled and an established session so the attacker possesses a valid receiver session index; a valid Poly1305 authenticator is NOT required because the overflow occurs before authentication, so a malicious/compromised peer or an on-path attacker driving that session suffices. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H, base 7.4) is internally consistent with the description: network reachable and unauthenticated (PR:N, since only a session index is needed pre-authentication), but high complexity (AC:H) because the overflow only triggers under specific size conditions - CONFIG_WIREGUARD_BUF_LEN configured below the link MTU, links whose MTU exceeds the buffer, or reassembled IP fragments that exceed it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A compromised or malicious WireGuard peer that shares an established session with a Zephyr device (or an on-path attacker able to inject into that session) sends a crafted transport-data UDP datagram whose length exceeds CONFIG_WIREGUARD_BUF_LEN. Because the vulnerable memcpy runs before the Poly1305 tag is verified, the attacker needs only a valid receiver session index - not a valid authenticator - to overflow the pool buffer and crash or corrupt the device. …
Remediation Apply the upstream fix from commit 6d8bb28dc9064e05e52b5a00b2998ecc663e38cb (https://github.com/zephyrproject-rtos/zephyr/commit/6d8bb28dc9064e05e52b5a00b2998ecc663e38cb), which adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to use net_buf_max_len(buf) as the destination capacity; the corresponding advisory is GHSA-3wqm-wgx2-9367. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Zephyr RTOS 4.4.0 systems using WireGuard and assess network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy