Skip to main content

Zephyr RTOS EUVDEUVD-2026-39106

| CVE-2026-10642 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-06-24 zephyr
4.6
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.6 MEDIUM

Triggering the hang requires direct electrical control of the physical UART CTS wire, making AV:P more accurate than the reported AV:A; AC:L because once CTS flow control is enabled the trigger is a trivial signal state; C/I remain N as confirmed by the advisory.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 19:22 NVD
6.5 (MEDIUM) 4.6 (MEDIUM)
Source Code Evidence Fetched
Jun 24, 2026 - 22:27 vuln.today
Analysis Generated
Jun 24, 2026 - 22:27 vuln.today

DescriptionCVE.org

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's level-transition TX-interrupt behavior. When CTS hardware flow control is enabled (devicetree hw-flow-control or runtime UART_CFG_FLOW_CTRL_RTS_CTS) and the wired serial peer de-asserts CTS, the controller stops draining the TX FIFO; pl011_fifo_fill() then returns 0 on every call while the application still has pending data and therefore never disables the TX interrupt. The loop condition never clears, so the thread that called uart_irq_tx_enable() (e.g. h4_send() in the Bluetooth HCI H4 driver) spins indefinitely, hanging the executing context and stalling the transport - a denial of service (CWE-835). An attacker controlling the device attached to the UART's CTS line can trigger the hang by withholding CTS during transmission. Impact is availability only; there is no memory-safety, confidentiality, or integrity consequence. The vulnerable loop was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

AnalysisAI

Infinite-loop denial of service in the Zephyr RTOS PL011 UART driver (v4.1.0-v4.4.0) permanently stalls any thread that calls uart_irq_tx_enable() - including the Bluetooth HCI H4 send path - when CTS hardware flow control is enabled and the wired peer withholds CTS during transmission. The root cause is a software workaround loop (CWE-835) that compensates for the PL011 controller's level-transition TX interrupt behavior but never exits when pl011_fifo_fill() returns 0 due to a blocked CTS line. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Zephyr system using PL011 UART with CTS flow control enabled
Delivery
Gain physical or logical control of wired CTS peer device
Exploit
Wait for or trigger UART transmission from Zephyr host
Install
De-assert CTS signal during active transmission
C2
pl011_fifo_fill() returns 0 inside unbounded software loop
Execute
Loop exit condition becomes unreachable
Impact
Transmitting thread spins indefinitely, stalling UART transport

Vulnerability AssessmentAI

Exploitation Exploitation requires both of the following conditions simultaneously: (1) CTS hardware flow control must be enabled on the PL011 UART instance, configured either statically via the devicetree hw-flow-control property or dynamically at runtime via UART_CFG_FLOW_CTRL_RTS_CTS - this is not the default in many Zephyr configurations; and (2) the attacker must be able to de-assert the CTS signal on the physical UART CTS pin, either by controlling the wired peer device directly or by compromising firmware on that device. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported CVSS 3.1 score of 6.5 uses vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, but the Adjacent-Network designation merits scrutiny: triggering the hang requires direct electrical control of the UART CTS hardware line, which is arguably an AV:P (Physical) scenario rather than a network-adjacent one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has physical control of - or has compromised - a device wired to the UART CTS pin of a Zephyr v4.1.0-v4.4.0 system (for example, a Bluetooth module connected via HCI H4 over UART with CTS flow control enabled) simply holds the CTS line de-asserted while the Zephyr host initiates a transmission. The pl011_irq_tx_enable() loop spins indefinitely, permanently blocking the transmitting thread and stalling the UART transport layer; no exploit code or elevated privilege is required beyond physical or logical control of the CTS signal.
Remediation Apply the upstream fix from commit 68e702294b711eadfe7b4fadedd46d7c87fe8f3d (https://github.com/zephyrproject-rtos/zephyr/commit/68e702294b711eadfe7b4fadedd46d7c87fe8f3d), which adds a CTS-blocking check inside the pl011_irq_tx_enable() loop - exiting when (uart->cr & PL011_CR_CTSEn) && !(uart->fr & PL011_FR_CTS) and arming PL011_IMSC_CTSMIM so transmission resumes automatically when CTS re-asserts. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-39106 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy