Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Adjacent vector captures co-processor/AP indirect path; AC:H reflects multi-step rogue-AP-to-firmware manipulation required; C:L for OOB read, I:L/A:L for stack corruption.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixed-size twt_flows[WIFI_MAX_TWT_FLOWS] (8-element) array of a caller-supplied struct wifi_ps_config, looping over event-provided num_twt_flows without validating it against WIFI_MAX_TWT_FLOWS or checking event_len. When num_twt_flows exceeds 8, the handler writes past the destination array (which is typically on the caller's stack, e.g. the wifi ps shell command) -- an out-of-bounds write of ~40-byte TWT entries -- and reads twt_flow_info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET, so reaching the overflow requires the firmware to emit a malformed or out-of-range event; the trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected: builds with CONFIG_NRF70_STA_MODE on releases through v4.4.0. The fix rejects events with num_twt_flows > WIFI_MAX_TWT_FLOWS or with event_len shorter than the claimed entries, and adds a NULL check on the caller buffer.
AnalysisAI
Out-of-bounds stack write in Zephyr's nRF70 Wi-Fi driver exposes embedded systems to memory corruption when the nRF70 co-processor returns a power-save event with more than eight TWT flow entries. The vulnerable function nrf_wifi_event_proc_get_power_save_info() blindly copies co-processor-supplied TWT entries into a fixed 8-element stack array without validating num_twt_flows against WIFI_MAX_TWT_FLOWS, enabling heap/stack corruption of approximately 40 bytes per excess entry. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target firmware must be built with `CONFIG_NRF70_STA_MODE` enabled - this is an explicit Kconfig build-time flag, not the default for all Zephyr targets; (2) the host must initiate a power-save GET query (e.g., via the `wifi ps` shell command or equivalent API call) to trigger the vulnerable event handler; (3) the nRF70 co-processor must return a malformed event with `num_twt_flows > 8` - this requires either co-processor firmware compromise or indirect manipulation via a rogue Wi-Fi 6 AP exploiting the TWT negotiation protocol to poison the co-processor's internal flow state. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.0 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) reflects the constrained attack path accurately: exploitation requires adjacent-network positioning AND the ability to manipulate co-processor firmware or TWT session state via a rogue AP - both non-trivial preconditions that justify AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a rogue 802.11ax (Wi-Fi 6) access point crafts TWT session responses that cause the nRF70 co-processor to record more than eight TWT flow entries in its internal state. When the host application or shell command triggers a power-save GET query, the co-processor returns an `nrf_wifi_umac_event_power_save_info` event with `num_twt_flows` exceeding 8; the unvalidated loop in `nrf_wifi_event_proc_get_power_save_info()` then writes ~40 bytes per excess entry past the end of the stack-allocated `twt_flows` array, potentially overwriting return addresses or adjacent stack variables on bare-metal RTOS targets lacking exploit mitigations. |
| Remediation | Integrate the upstream fix commit a2c4324acd50a5f92e492e6e460e6297af826148 from https://github.com/zephyrproject-rtos/zephyr/commit/a2c4324acd50a5f92e492e6e460e6297af826148 - this patch rejects events with `num_twt_flows > WIFI_MAX_TWT_FLOWS`, validates `event_len` against the claimed entry count, and adds a NULL check on the destination buffer, fully closing the overflow. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43241