CVE-2026-10644: bounds in zephyrproject zephyr
CVE-2026-10644 is a medium severity vulnerability in the Microchip SERCOM-G1 UART driver of the Zephyr project affecting the PIC32CM-JH SoC family. It involves an out-of-bounds write in the asynchronous DMA receive path when a one-byte receive buffer is used with async UART enabled. This causes a single-byte memory corruption adjacent to the RX buffer, potentially leading to a crash or denial of service. The issue exists in Zephyr versions 4.4.0 up to but not including 4.5.0. The fix changes the handling of one-byte buffers to avoid DMA and properly reads the first byte with the CPU.
AI Analysis
Technical Summary
The Microchip SERCOM-G1 UART driver in Zephyr (drivers/serial/uart_mchp_sercom_g1.c) contains an out-of-bounds write vulnerability in its asynchronous DMA receive path. When uart_rx_enable() is called with a one-byte buffer and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR triggers a DMA transfer that writes one byte past the end of the buffer. This overflow byte is the UART RX data from the connected serial peer. Exploitation requires async UART configuration and a one-byte RX buffer, which is not enabled by default on PIC32CM-JH boards. The impact is limited to single-byte memory corruption adjacent to the RX buffer, possibly causing a crash or denial of service. The defect was introduced in Zephyr v4.4.0 and fixed by changing the driver to read the first byte via CPU and avoid DMA for one-byte buffers.
Potential Impact
The vulnerability causes a single-byte out-of-bounds write adjacent to the RX buffer in the UART driver, which can lead to memory corruption. This may result in a system crash or denial of service. There is no confidentiality or integrity impact reported. Exploitation requires specific configuration (async UART enabled and one-byte RX buffer), which is not the default setup on affected hardware.
Mitigation Recommendations
A fix is available in Zephyr versions starting from 4.5.0, which changes the driver to avoid DMA for one-byte buffers and properly handle the first byte via CPU read. Users should upgrade to Zephyr 4.5.0 or later to remediate this issue. Patch status is not explicitly stated in the vendor advisory, but the description confirms the defect was fixed after v4.4.0. Check the official Zephyr project releases for the patch and upgrade accordingly.
CVE-2026-10644: bounds in zephyrproject zephyr
Description
CVE-2026-10644 is a medium severity vulnerability in the Microchip SERCOM-G1 UART driver of the Zephyr project affecting the PIC32CM-JH SoC family. It involves an out-of-bounds write in the asynchronous DMA receive path when a one-byte receive buffer is used with async UART enabled. This causes a single-byte memory corruption adjacent to the RX buffer, potentially leading to a crash or denial of service. The issue exists in Zephyr versions 4.4.0 up to but not including 4.5.0. The fix changes the handling of one-byte buffers to avoid DMA and properly reads the first byte with the CPU.
CVSS v3.1
Score 4.2medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Microchip SERCOM-G1 UART driver in Zephyr (drivers/serial/uart_mchp_sercom_g1.c) contains an out-of-bounds write vulnerability in its asynchronous DMA receive path. When uart_rx_enable() is called with a one-byte buffer and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR triggers a DMA transfer that writes one byte past the end of the buffer. This overflow byte is the UART RX data from the connected serial peer. Exploitation requires async UART configuration and a one-byte RX buffer, which is not enabled by default on PIC32CM-JH boards. The impact is limited to single-byte memory corruption adjacent to the RX buffer, possibly causing a crash or denial of service. The defect was introduced in Zephyr v4.4.0 and fixed by changing the driver to read the first byte via CPU and avoid DMA for one-byte buffers.
Potential Impact
The vulnerability causes a single-byte out-of-bounds write adjacent to the RX buffer in the UART driver, which can lead to memory corruption. This may result in a system crash or denial of service. There is no confidentiality or integrity impact reported. Exploitation requires specific configuration (async UART enabled and one-byte RX buffer), which is not the default setup on affected hardware.
Mitigation Recommendations
A fix is available in Zephyr versions starting from 4.5.0, which changes the driver to avoid DMA for one-byte buffers and properly handle the first byte via CPU read. Users should upgrade to Zephyr 4.5.0 or later to remediate this issue. Patch status is not explicitly stated in the vendor advisory, but the description confirms the defect was fixed after v4.4.0. Check the official Zephyr project releases for the patch and upgrade accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:11:46.303Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a40ac0127e9c79719547625
Added to database: 06/28/2026, 05:07:13 UTC
Last enriched: 06/28/2026, 05:21:24 UTC
Last updated: 06/28/2026, 08:17:58 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.