Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Network-reachable via UDP (AV:N); only a session index, not an authenticator, is needed pre-auth (PR:N); overflow needs non-default buffer/MTU or fragment conditions (AC:H); memory corruption and DoS give I:H/A:H with no disclosure (C:N).
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call net_buf_linearize(buf->data, data_len, pkt->buffer, ..., data_len) passed the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst_len) bound. data_len is derived from the received UDP datagram length and is only lower-bounded by wg_ctrl_recv() (no upper bound). When data_len exceeds CONFIG_WIREGUARD_BUF_LEN - e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it - the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to pass net_buf_max_len(buf) as the destination capacity.
AnalysisAI
Out-of-bounds write in the WireGuard subsystem of Zephyr RTOS 4.4.0 lets a malicious or compromised WireGuard peer (or an on-path attacker driving an established session) corrupt memory by sending an oversized transport-data datagram. Because the flawed copy occurs before the Poly1305 authentication check, exploitation needs only a valid receiver session index rather than a valid authenticator, and reliably yields at least a remote denial of service on the target device. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the Zephyr WireGuard subsystem to be enabled and an established session so the attacker possesses a valid receiver session index; a valid Poly1305 authenticator is NOT required because the overflow occurs before authentication, so a malicious/compromised peer or an on-path attacker driving that session suffices. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H, base 7.4) is internally consistent with the description: network reachable and unauthenticated (PR:N, since only a session index is needed pre-authentication), but high complexity (AC:H) because the overflow only triggers under specific size conditions - CONFIG_WIREGUARD_BUF_LEN configured below the link MTU, links whose MTU exceeds the buffer, or reassembled IP fragments that exceed it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A compromised or malicious WireGuard peer that shares an established session with a Zephyr device (or an on-path attacker able to inject into that session) sends a crafted transport-data UDP datagram whose length exceeds CONFIG_WIREGUARD_BUF_LEN. Because the vulnerable memcpy runs before the Poly1305 tag is verified, the attacker needs only a valid receiver session index - not a valid authenticator - to overflow the pool buffer and crash or corrupt the device. … |
| Remediation | Apply the upstream fix from commit 6d8bb28dc9064e05e52b5a00b2998ecc663e38cb (https://github.com/zephyrproject-rtos/zephyr/commit/6d8bb28dc9064e05e52b5a00b2998ecc663e38cb), which adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to use net_buf_max_len(buf) as the destination capacity; the corresponding advisory is GHSA-3wqm-wgx2-9367. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Zephyr RTOS 4.4.0 systems using WireGuard and assess network exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43242