Skip to main content

Zephyr nRF70 Driver EUVDEUVD-2026-43241

| CVE-2026-10664 MEDIUM
Out-of-bounds Write (CWE-787)
2026-07-12 zephyr
5.0
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
5.0 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
5.0 MEDIUM

Adjacent vector captures co-processor/AP indirect path; AC:H reflects multi-step rogue-AP-to-firmware manipulation required; C:L for OOB read, I:L/A:L for stack corruption.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 12, 2026 - 17:28 vuln.today

DescriptionCVE.org

The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixed-size twt_flows[WIFI_MAX_TWT_FLOWS] (8-element) array of a caller-supplied struct wifi_ps_config, looping over event-provided num_twt_flows without validating it against WIFI_MAX_TWT_FLOWS or checking event_len. When num_twt_flows exceeds 8, the handler writes past the destination array (which is typically on the caller's stack, e.g. the wifi ps shell command) -- an out-of-bounds write of ~40-byte TWT entries -- and reads twt_flow_info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET, so reaching the overflow requires the firmware to emit a malformed or out-of-range event; the trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected: builds with CONFIG_NRF70_STA_MODE on releases through v4.4.0. The fix rejects events with num_twt_flows > WIFI_MAX_TWT_FLOWS or with event_len shorter than the claimed entries, and adds a NULL check on the caller buffer.

AnalysisAI

Out-of-bounds stack write in Zephyr's nRF70 Wi-Fi driver exposes embedded systems to memory corruption when the nRF70 co-processor returns a power-save event with more than eight TWT flow entries. The vulnerable function nrf_wifi_event_proc_get_power_save_info() blindly copies co-processor-supplied TWT entries into a fixed 8-element stack array without validating num_twt_flows against WIFI_MAX_TWT_FLOWS, enabling heap/stack corruption of approximately 40 bytes per excess entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Position on adjacent Wi-Fi network
Delivery
Operate rogue 802.11ax AP
Exploit
Manipulate TWT session negotiation
Install
Corrupt co-processor TWT flow state
C2
Host triggers power-save GET
Execute
Unvalidated event copy overflows stack
Impact
Overwrite return address or adjacent variables

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target firmware must be built with `CONFIG_NRF70_STA_MODE` enabled - this is an explicit Kconfig build-time flag, not the default for all Zephyr targets; (2) the host must initiate a power-save GET query (e.g., via the `wifi ps` shell command or equivalent API call) to trigger the vulnerable event handler; (3) the nRF70 co-processor must return a malformed event with `num_twt_flows > 8` - this requires either co-processor firmware compromise or indirect manipulation via a rogue Wi-Fi 6 AP exploiting the TWT negotiation protocol to poison the co-processor's internal flow state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 5.0 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects the constrained attack path accurately: exploitation requires adjacent-network positioning AND the ability to manipulate co-processor firmware or TWT session state via a rogue AP - both non-trivial preconditions that justify AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a rogue 802.11ax (Wi-Fi 6) access point crafts TWT session responses that cause the nRF70 co-processor to record more than eight TWT flow entries in its internal state. When the host application or shell command triggers a power-save GET query, the co-processor returns an `nrf_wifi_umac_event_power_save_info` event with `num_twt_flows` exceeding 8; the unvalidated loop in `nrf_wifi_event_proc_get_power_save_info()` then writes ~40 bytes per excess entry past the end of the stack-allocated `twt_flows` array, potentially overwriting return addresses or adjacent stack variables on bare-metal RTOS targets lacking exploit mitigations.
Remediation Integrate the upstream fix commit a2c4324acd50a5f92e492e6e460e6297af826148 from https://github.com/zephyrproject-rtos/zephyr/commit/a2c4324acd50a5f92e492e6e460e6297af826148 - this patch rejects events with `num_twt_flows > WIFI_MAX_TWT_FLOWS`, validates `event_len` against the claimed entry count, and adds a NULL check on the destination buffer, fully closing the overflow. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-43241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy