Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-10669: bounds in zephyrproject zephyr

0
High
VulnerabilityCVE-2026-10669cvecve-2026-10669
Published: 07/14/2026 (07/14/2026, 15:02:02 UTC)
Source: CVE Database V5
Vendor/Project: zephyrproject
Product: zephyr

Description

On Xtensa SoCs built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, arch_buffer_validate() in arch/xtensa/core/mpu.c — the architecture hook that verifies a user-mode-supplied buffer is accessible to the calling user thread with the requested permission — defaulted its return value to 0 (access permitted) and only set a denial result inside its per-MPU-region probe loop. When the rounded extent of the buffer wraps the 32-bit address space (size + alignment offset near SIZE_MAX, or ROUND_UP(size + offset) overflowing to 0), the loop executes zero iterations and the function returns 0 = permitted without probing any MPU region. The syscall-layer pre-checks (K_SYSCALL_MEMORY_SIZE_CHECK / Z_DETECT_POINTER_OVERFLOW) only catch a raw addr+size wrap and do not cover the ROUND_UP-induced wrap, and the string path (arch_user_string_nlen -> arch_buffer_validate) has no syscall-layer guard at all. An unprivileged user-mode thread can therefore pass a crafted (addr, size) to any syscall that validates user buffers via k_usermode_from_copy/to_copy or k_usermode_string_copy and have validation succeed for memory it must not access; the kernel then reads from (disclosure) or, with write=1, writes to (corruption) attacker-chosen kernel or other-partition memory on the thread's behalf, enabling information disclosure, memory corruption, privilege escalation, and denial of service. Affected from v3.7.0 (when Xtensa MPU userspace support was added) through v4.4.0. The fix changes the default to -EINVAL (deny by default), adds an explicit size_add_overflow check, and sets the success value only after the full range has been validated.

CVSS v3.1

Score 7.8high

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected software

GitHub Actionsmore threats →cve
zephyr
pkg:github/zephyr
Affected versions
>=3.7.0 <4.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 15:38:11 UTC

Technical Analysis

In Zephyr OS on Xtensa SoCs built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, the function arch_buffer_validate() incorrectly defaults to permitting access (return 0) and only denies access inside a loop that probes MPU regions. When the buffer's rounded extent causes a 32-bit address wraparound, the loop does not execute, resulting in an implicit permit without validation. Syscall-layer pre-checks do not catch this specific wraparound condition. Consequently, an unprivileged user-mode thread can supply a crafted buffer to syscalls that validate user buffers, causing the kernel to read or write memory it should not access. This leads to information disclosure, memory corruption, privilege escalation, and denial of service. The vulnerability affects Zephyr versions from 3.7.0 (when Xtensa MPU userspace support was added) through 4.4.0. The fix changes the default return value to -EINVAL (deny by default), adds explicit overflow checks, and sets success only after full validation.

Potential Impact

An attacker with unprivileged user-mode access on affected Zephyr OS versions can bypass memory access validation checks for user-supplied buffers. This allows unauthorized kernel memory disclosure, corruption, privilege escalation, and denial of service. The vulnerability affects systems running on Xtensa SoCs with MPU and userspace enabled, potentially compromising system integrity and confidentiality.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix changes the default validation result to deny access, adds explicit overflow checks, and ensures full buffer validation before permitting access. Until an official patch or update is available, avoid running untrusted user-mode code on affected Zephyr versions with Xtensa MPU userspace enabled.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
zephyr
Date Reserved
2026-06-02T15:25:31.939Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a56533f68715ace43bba7bf

Added to database: 07/14/2026, 15:18:23 UTC

Last enriched: 07/14/2026, 15:38:11 UTC

Last updated: 07/15/2026, 02:16:35 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses