Skip to main content

Zephyr RTOS EUVDEUVD-2026-42037

| CVE-2026-10659 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-07-07 zephyr
4.7
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local vector and AC:H reflect the flash-error-at-checkpoint prerequisite; PR:L covers application-level disk mount access; C and I are N as only kernel availability is impacted.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 13:41 vuln.today

DescriptionNVD

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara_nand_erase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: find_last_checkblock() invokes find_checkblock(j, mid, &found, NULL), which forwards the NULL pointer into dhara_nand_read(). This path runs during disk_ftl_access_init() -> dhara_map_resume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dhara_set_error() helper. Affects Zephyr v4.4.0, where the driver was introduced.

AnalysisAI

Kernel denial-of-service in Zephyr RTOS v4.4.0's Dhara flash translation layer driver crashes the system during FTL disk initialization when a flash error coincides with the journal-resume checkpoint scan. The driver's dhara_nand_read/erase/prog/copy callbacks unconditionally dereference the caller-supplied err pointer, but the upstream Dhara library legitimately passes NULL during its binary search in find_last_checkblock(), triggering a NULL write and kernel fault. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain physical or supply-chain access to NAND flash
Delivery
Corrupt or wear-induce a checkpoint page on flash media
Exploit
Boot or remount device running Zephyr v4.4.0 with Dhara FTL
Execution
disk_ftl_access_init() triggers dhara_map_resume() checkpoint scan
Persist
dhara_nand_read() dereferences NULL err pointer on flash error
Impact
Kernel fault crashes device

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions simultaneously: the target device runs Zephyr v4.4.0 with the Dhara FTL disk driver compiled and enabled; a NAND flash device is managed by the Dhara FTL layer; and one of the probed Dhara journal checkpoint pages returns a flash read error - specifically uncorrectable ECC, a bad block, or a hardware controller error - during the journal-resume binary search executed at FTL initialization (disk_ftl_access_init() → dhara_map_resume()). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.7 (Medium) with vector AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects the constrained threat model: local-only attack vector, high exploitation complexity, and availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to a Zephyr v4.4.0 device - or one who can provision a crafted NAND flash image during manufacturing or supply-chain handling - induces an uncorrectable ECC error or bad block on one of the Dhara journal checkpoint pages. When the device boots and the FTL disk initializes, dhara_map_resume() performs a binary search over checkpoint pages, passing NULL as the error pointer; the driver dereferences NULL upon encountering the flash error, faulting the kernel and crashing the device. …
Remediation The upstream fix is available as commit a8371b0d4719efe37a66e2abb618ad9b81792212 in the Zephyr GitHub repository (https://github.com/zephyrproject-rtos/zephyr/commit/a8371b0d4719efe37a66e2abb618ad9b81792212), replacing direct err pointer writes with the NULL-safe dhara_set_error() helper. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Share

EUVD-2026-42037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy