Skip to main content

Zephyr RTOS CVE-2026-10673

| EUVDEUVD-2026-44746 HIGH
Out-of-bounds Write (CWE-787)
2026-07-15 zephyr
8.3
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
8.3 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
vuln.today AI
8.3 HIGH

Attacker must be on the shared single-pair segment (AV:A) but needs no auth or interaction (PR:N/UI:N); the unbounded write yields high integrity/availability impact and low incidental confidentiality.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 18:32 vuln.today
Analysis Generated
Jul 15, 2026 - 18:32 vuln.today
CVE Published
Jul 15, 2026 - 17:36 cve.org
HIGH 8.3

DescriptionCVE.org

The Zephyr ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver (drivers/ethernet/eth_adin2111.c) reassembles received Ethernet frames in OPEN Alliance (OA) SPI mode by copying device-supplied 64-byte data chunks into a fixed static buffer ctx->buf of size CONFIG_ETH_ADIN2111_BUFFER_SIZE (default 1524 bytes). In eth_adin2111_oa_data_read(), each valid chunk was memcpy'd into ctx->buf[ctx->scur] and the write cursor scur advanced, with no check that scur + len stayed within the buffer. The number of chunks (up to 255, from the BUFSTS RCA field) and the per-chunk length are taken entirely from the frame data received off the wire; the cursor is only reset on a start-of-frame chunk. An attacker on the single-pair Ethernet segment can therefore send a frame whose reassembled size exceeds the configured buffer, causing the driver's RX offload thread to write attacker-controlled frame bytes past the end of the static buffer into adjacent driver/kernel memory (up to roughly 14.8 KB in the worst case). This is a remotely/adjacently reachable out-of-bounds write (CWE-787) that can corrupt memory and cause denial of service or potentially code execution. The defect was introduced when OA SPI support was added (commit 0ca8b0756b1) and shipped in releases v3.7.0 through v4.4.0. The fix adds a bounds check that drops the oversized frame and resets the cursor before the copy.

AnalysisAI

Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain node on shared SPE segment
Delivery
Craft oversized OA multi-chunk frame
Exploit
Transmit frame to target driver
Execution
RX thread overflows static buffer
Persist
Corrupt adjacent kernel memory
Impact
Crash device or execute code

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target device runs Zephyr v3.7.0-v4.4.0 with the ADIN2111/ADIN1110 Ethernet driver compiled in and operating in OPEN Alliance (OA) SPI mode, and that the attacker can inject frames onto the shared single-pair (10BASE-T1S/T1L) Ethernet segment the device is attached to. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to a genuine, if network-constrained, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a node on the same 10BASE-T1S/T1L single-pair Ethernet segment crafts a frame that reassembles, via many 64-byte OA SPI chunks, to more than the 1524-byte buffer size. When the target's ADIN2111 RX offload thread copies the chunks, the excess attacker-controlled bytes overwrite adjacent kernel memory, crashing the device or, with careful layout, steering execution. …
Remediation Patch available per vendor advisory: apply the upstream fixes in commits 158df8d088316cdae20816fc07703892280b2acb and c98321cbfef23c0e3bdf043ccf6b421067c8d508, which add a bounds check that drops any frame where ctx->scur + len exceeds CONFIG_ETH_ADIN2111_BUFFER_SIZE and resets the cursor before the copy; rebuild and reflash affected devices from a Zephyr tree containing these commits (fixed release version not independently confirmed from the provided data-verify the patched tag against GHSA-hm6v-4jh4-3qc4). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Zephyr RTOS versions 3.7.0 through 4.4.0 with ADIN2111 or ADIN1110 Ethernet driver components and assess their network exposure and operational criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10673 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy