Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-10659: memory-safety in zephyrproject zephyr

0
Medium
VulnerabilityCVE-2026-10659cvecve-2026-10659
Published: 07/07/2026 (07/07/2026, 12:58:11 UTC)
Source: CVE Database V5
Vendor/Project: zephyrproject
Product: zephyr

Description

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara_nand_erase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: find_last_checkblock() invokes find_checkblock(j, mid, &found, NULL), which forwards the NULL pointer into dhara_nand_read(). This path runs during disk_ftl_access_init() -> dhara_map_resume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dhara_set_error() helper. Affects Zephyr v4.4.0, where the driver was introduced.

CVSS v3.1

Score 4.7medium

Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected software

GitHub Actionsmore threats →cve
zephyr
pkg:github/zephyr
Affected versions
>=4.4.0 <4.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/07/2026, 13:28:43 UTC

Technical Analysis

The Dhara flash translation layer disk driver in Zephyr (drivers/disk/ftl_dhara.c) implemented callbacks that write error codes via a caller-supplied pointer without verifying if the pointer is NULL. The upstream Dhara library calls these callbacks with a NULL error pointer during its journal-resume binary search process. If a flash read error occurs on checkpoint pages during disk initialization, the driver attempts to write to a NULL pointer, causing a kernel fault and denial of service. This vulnerability affects Zephyr versions 4.4.0 up to but not including 4.5.0, where the driver was introduced. The fix involves routing error assignments through a NULL-safe helper function.

Potential Impact

A NULL pointer dereference can occur during disk initialization if a flash error is encountered on checkpoint pages, causing the kernel to fault and resulting in a denial of service. The trigger depends on NAND medium conditions such as wear, induced faults, or corrupted on-flash images. There is no impact on confidentiality or integrity, only availability is affected.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed by routing error assignments through a NULL-safe helper function. Until an official fix is available, avoid using affected versions or mitigate exposure to corrupted NAND media that could trigger the fault.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
zephyr
Date Reserved
2026-06-02T15:24:36.650Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4cfbe1c9d9e3dbe32fc630

Added to database: 07/07/2026, 13:15:13 UTC

Last enriched: 07/07/2026, 13:28:43 UTC

Last updated: 07/07/2026, 14:08:04 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses