CVE-2026-10659: memory-safety in zephyrproject zephyr
The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara_nand_erase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: find_last_checkblock() invokes find_checkblock(j, mid, &found, NULL), which forwards the NULL pointer into dhara_nand_read(). This path runs during disk_ftl_access_init() -> dhara_map_resume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dhara_set_error() helper. Affects Zephyr v4.4.0, where the driver was introduced.
AI Analysis
Technical Summary
The Dhara flash translation layer disk driver in Zephyr (drivers/disk/ftl_dhara.c) implemented callbacks that write error codes via a caller-supplied pointer without verifying if the pointer is NULL. The upstream Dhara library calls these callbacks with a NULL error pointer during its journal-resume binary search process. If a flash read error occurs on checkpoint pages during disk initialization, the driver attempts to write to a NULL pointer, causing a kernel fault and denial of service. This vulnerability affects Zephyr versions 4.4.0 up to but not including 4.5.0, where the driver was introduced. The fix involves routing error assignments through a NULL-safe helper function.
Potential Impact
A NULL pointer dereference can occur during disk initialization if a flash error is encountered on checkpoint pages, causing the kernel to fault and resulting in a denial of service. The trigger depends on NAND medium conditions such as wear, induced faults, or corrupted on-flash images. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed by routing error assignments through a NULL-safe helper function. Until an official fix is available, avoid using affected versions or mitigate exposure to corrupted NAND media that could trigger the fault.
CVE-2026-10659: memory-safety in zephyrproject zephyr
Description
The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara_nand_erase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: find_last_checkblock() invokes find_checkblock(j, mid, &found, NULL), which forwards the NULL pointer into dhara_nand_read(). This path runs during disk_ftl_access_init() -> dhara_map_resume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dhara_set_error() helper. Affects Zephyr v4.4.0, where the driver was introduced.
CVSS v3.1
Score 4.7medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Dhara flash translation layer disk driver in Zephyr (drivers/disk/ftl_dhara.c) implemented callbacks that write error codes via a caller-supplied pointer without verifying if the pointer is NULL. The upstream Dhara library calls these callbacks with a NULL error pointer during its journal-resume binary search process. If a flash read error occurs on checkpoint pages during disk initialization, the driver attempts to write to a NULL pointer, causing a kernel fault and denial of service. This vulnerability affects Zephyr versions 4.4.0 up to but not including 4.5.0, where the driver was introduced. The fix involves routing error assignments through a NULL-safe helper function.
Potential Impact
A NULL pointer dereference can occur during disk initialization if a flash error is encountered on checkpoint pages, causing the kernel to fault and resulting in a denial of service. The trigger depends on NAND medium conditions such as wear, induced faults, or corrupted on-flash images. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vulnerability is fixed by routing error assignments through a NULL-safe helper function. Until an official fix is available, avoid using affected versions or mitigate exposure to corrupted NAND media that could trigger the fault.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:24:36.650Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4cfbe1c9d9e3dbe32fc630
Added to database: 07/07/2026, 13:15:13 UTC
Last enriched: 07/07/2026, 13:28:43 UTC
Last updated: 07/07/2026, 14:08:04 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.