Skip to main content

Zephyr RTOS EUVDEUVD-2026-43696

| CVE-2026-10669 HIGH
Out-of-bounds Write (CWE-787)
2026-07-14 zephyr
7.8
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local unprivileged user thread required (AV:L, PR:L), trivially triggered overflow (AC:L), yielding arbitrary kernel read/write for full C/I/A impact within the same protection scope.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 15:35 vuln.today
Analysis Generated
Jul 14, 2026 - 15:35 vuln.today
CVE Published
Jul 14, 2026 - 15:02 cve.org
HIGH 7.8

DescriptionCVE.org

On Xtensa SoCs built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, arch_buffer_validate() in arch/xtensa/core/mpu.c - the architecture hook that verifies a user-mode-supplied buffer is accessible to the calling user thread with the requested permission - defaulted its return value to 0 (access permitted) and only set a denial result inside its per-MPU-region probe loop. When the rounded extent of the buffer wraps the 32-bit address space (size + alignment offset near SIZE_MAX, or ROUND_UP(size + offset) overflowing to 0), the loop executes zero iterations and the function returns 0 = permitted without probing any MPU region.

The syscall-layer pre-checks (K_SYSCALL_MEMORY_SIZE_CHECK / Z_DETECT_POINTER_OVERFLOW) only catch a raw addr+size wrap and do not cover the ROUND_UP-induced wrap, and the string path (arch_user_string_nlen -> arch_buffer_validate) has no syscall-layer guard at all.

An unprivileged user-mode thread can therefore pass a crafted (addr, size) to any syscall that validates user buffers via k_usermode_from_copy/to_copy or k_usermode_string_copy and have validation succeed for memory it must not access; the kernel then reads from (disclosure) or, with write=1, writes to (corruption) attacker-chosen kernel or other-partition memory on the thread's behalf, enabling information disclosure, memory corruption, privilege escalation, and denial of service.

Affected from v3.7.0 (when Xtensa MPU userspace support was added) through v4.4.0. The fix changes the default to -EINVAL (deny by default), adds an explicit size_add_overflow check, and sets the success value only after the full range has been validated.

AnalysisAI

Local privilege escalation and kernel memory corruption in Zephyr RTOS on Xtensa SoCs (v3.7.0 through v4.4.0) built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, where arch_buffer_validate() fails open on an integer-overflow edge case, letting an unprivileged user thread trick the kernel into reading or writing arbitrary kernel/partition memory on its behalf. The flaw stems from a default-permit return value combined with a ROUND_UP address-space wrap that skips the MPU probe loop entirely, and it is not caught by the existing syscall-layer overflow guards. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Run unprivileged user-mode thread on Xtensa device
Delivery
Craft (addr, size) forcing ROUND_UP address wrap
Exploit
Call syscall using k_usermode copy/string helper
Execution
Validation skips MPU loop, returns permitted
Persist
Kernel reads or writes attacker-chosen memory
Impact
Escalate privileges or corrupt kernel state

Vulnerability AssessmentAI

Exploitation Requires the target device to be an Xtensa SoC built with BOTH CONFIG_XTENSA_MPU and CONFIG_USERSPACE, and the attacker must already be executing as an unprivileged user-mode thread on that device (PR:L, AV:L - local, authenticated at user level). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (7.8 High) is internally consistent with the description: this requires local code execution as an unprivileged user-mode thread (AV:L, PR:L) with low complexity and no user interaction, and yields full confidentiality, integrity, and availability impact through arbitrary kernel memory read/write. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can run an unprivileged user-mode thread on an affected Xtensa device - for example via a compromised or malicious application partition - invokes any syscall that copies a user buffer (k_usermode_from_copy/to_copy or a string syscall) with a crafted (addr, size) pair whose rounded extent overflows the 32-bit address space to zero. Validation returns 'permitted' without probing any MPU region, so the kernel then reads attacker-chosen kernel memory (information disclosure) or, with write=1, overwrites kernel or other-partition memory (corruption), which can be leveraged into privilege escalation or denial of service. …
Remediation Patch available per vendor advisory: upgrade to the Zephyr release containing fix commit 3b1bdaf5482188ca110ef9a411aaa8c7d3db3b16 (https://github.com/zephyrproject-rtos/zephyr/commit/3b1bdaf5482188ca110ef9a411aaa8c7d3db3b16), which makes arch_buffer_validate() deny-by-default, adds a size_add_overflow() guard, and only permits access after full-range validation; consult GHSA-4r4p-gh69-v6w4 for the exact tagged release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all systems running Zephyr RTOS versions 3.7.0 through 4.4.0 with CONFIG_XTENSA_MPU and CONFIG_USERSPACE enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-43696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy