Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Attacker must be on the shared single-pair segment (AV:A) but needs no auth or interaction (PR:N/UI:N); the unbounded write yields high integrity/availability impact and low incidental confidentiality.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The Zephyr ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver (drivers/ethernet/eth_adin2111.c) reassembles received Ethernet frames in OPEN Alliance (OA) SPI mode by copying device-supplied 64-byte data chunks into a fixed static buffer ctx->buf of size CONFIG_ETH_ADIN2111_BUFFER_SIZE (default 1524 bytes). In eth_adin2111_oa_data_read(), each valid chunk was memcpy'd into ctx->buf[ctx->scur] and the write cursor scur advanced, with no check that scur + len stayed within the buffer. The number of chunks (up to 255, from the BUFSTS RCA field) and the per-chunk length are taken entirely from the frame data received off the wire; the cursor is only reset on a start-of-frame chunk. An attacker on the single-pair Ethernet segment can therefore send a frame whose reassembled size exceeds the configured buffer, causing the driver's RX offload thread to write attacker-controlled frame bytes past the end of the static buffer into adjacent driver/kernel memory (up to roughly 14.8 KB in the worst case). This is a remotely/adjacently reachable out-of-bounds write (CWE-787) that can corrupt memory and cause denial of service or potentially code execution. The defect was introduced when OA SPI support was added (commit 0ca8b0756b1) and shipped in releases v3.7.0 through v4.4.0. The fix adds a bounds check that drops the oversized frame and resets the cursor before the copy.
AnalysisAI
Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target device runs Zephyr v3.7.0-v4.4.0 with the ADIN2111/ADIN1110 Ethernet driver compiled in and operating in OPEN Alliance (OA) SPI mode, and that the attacker can inject frames onto the shared single-pair (10BASE-T1S/T1L) Ethernet segment the device is attached to. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to a genuine, if network-constrained, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a node on the same 10BASE-T1S/T1L single-pair Ethernet segment crafts a frame that reassembles, via many 64-byte OA SPI chunks, to more than the 1524-byte buffer size. When the target's ADIN2111 RX offload thread copies the chunks, the excess attacker-controlled bytes overwrite adjacent kernel memory, crashing the device or, with careful layout, steering execution. … |
| Remediation | Patch available per vendor advisory: apply the upstream fixes in commits 158df8d088316cdae20816fc07703892280b2acb and c98321cbfef23c0e3bdf043ccf6b421067c8d508, which add a bounds check that drops any frame where ctx->scur + len exceeds CONFIG_ETH_ADIN2111_BUFFER_SIZE and resets the cursor before the copy; rebuild and reflash affected devices from a Zephyr tree containing these commits (fixed release version not independently confirmed from the provided data-verify the patched tag against GHSA-hm6v-4jh4-3qc4). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running Zephyr RTOS versions 3.7.0 through 4.4.0 with ADIN2111 or ADIN1110 Ethernet driver components and assess their network exposure and operational criticality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44746