CVE-2026-10669: bounds in zephyrproject zephyr
On Xtensa SoCs built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, arch_buffer_validate() in arch/xtensa/core/mpu.c — the architecture hook that verifies a user-mode-supplied buffer is accessible to the calling user thread with the requested permission — defaulted its return value to 0 (access permitted) and only set a denial result inside its per-MPU-region probe loop. When the rounded extent of the buffer wraps the 32-bit address space (size + alignment offset near SIZE_MAX, or ROUND_UP(size + offset) overflowing to 0), the loop executes zero iterations and the function returns 0 = permitted without probing any MPU region. The syscall-layer pre-checks (K_SYSCALL_MEMORY_SIZE_CHECK / Z_DETECT_POINTER_OVERFLOW) only catch a raw addr+size wrap and do not cover the ROUND_UP-induced wrap, and the string path (arch_user_string_nlen -> arch_buffer_validate) has no syscall-layer guard at all. An unprivileged user-mode thread can therefore pass a crafted (addr, size) to any syscall that validates user buffers via k_usermode_from_copy/to_copy or k_usermode_string_copy and have validation succeed for memory it must not access; the kernel then reads from (disclosure) or, with write=1, writes to (corruption) attacker-chosen kernel or other-partition memory on the thread's behalf, enabling information disclosure, memory corruption, privilege escalation, and denial of service. Affected from v3.7.0 (when Xtensa MPU userspace support was added) through v4.4.0. The fix changes the default to -EINVAL (deny by default), adds an explicit size_add_overflow check, and sets the success value only after the full range has been validated.
AI Analysis
Technical Summary
In Zephyr OS on Xtensa SoCs built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, the function arch_buffer_validate() incorrectly defaults to permitting access (return 0) and only denies access inside a loop that probes MPU regions. When the buffer's rounded extent causes a 32-bit address wraparound, the loop does not execute, resulting in an implicit permit without validation. Syscall-layer pre-checks do not catch this specific wraparound condition. Consequently, an unprivileged user-mode thread can supply a crafted buffer to syscalls that validate user buffers, causing the kernel to read or write memory it should not access. This leads to information disclosure, memory corruption, privilege escalation, and denial of service. The vulnerability affects Zephyr versions from 3.7.0 (when Xtensa MPU userspace support was added) through 4.4.0. The fix changes the default return value to -EINVAL (deny by default), adds explicit overflow checks, and sets success only after full validation.
Potential Impact
An attacker with unprivileged user-mode access on affected Zephyr OS versions can bypass memory access validation checks for user-supplied buffers. This allows unauthorized kernel memory disclosure, corruption, privilege escalation, and denial of service. The vulnerability affects systems running on Xtensa SoCs with MPU and userspace enabled, potentially compromising system integrity and confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix changes the default validation result to deny access, adds explicit overflow checks, and ensures full buffer validation before permitting access. Until an official patch or update is available, avoid running untrusted user-mode code on affected Zephyr versions with Xtensa MPU userspace enabled.
CVE-2026-10669: bounds in zephyrproject zephyr
Description
On Xtensa SoCs built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, arch_buffer_validate() in arch/xtensa/core/mpu.c — the architecture hook that verifies a user-mode-supplied buffer is accessible to the calling user thread with the requested permission — defaulted its return value to 0 (access permitted) and only set a denial result inside its per-MPU-region probe loop. When the rounded extent of the buffer wraps the 32-bit address space (size + alignment offset near SIZE_MAX, or ROUND_UP(size + offset) overflowing to 0), the loop executes zero iterations and the function returns 0 = permitted without probing any MPU region. The syscall-layer pre-checks (K_SYSCALL_MEMORY_SIZE_CHECK / Z_DETECT_POINTER_OVERFLOW) only catch a raw addr+size wrap and do not cover the ROUND_UP-induced wrap, and the string path (arch_user_string_nlen -> arch_buffer_validate) has no syscall-layer guard at all. An unprivileged user-mode thread can therefore pass a crafted (addr, size) to any syscall that validates user buffers via k_usermode_from_copy/to_copy or k_usermode_string_copy and have validation succeed for memory it must not access; the kernel then reads from (disclosure) or, with write=1, writes to (corruption) attacker-chosen kernel or other-partition memory on the thread's behalf, enabling information disclosure, memory corruption, privilege escalation, and denial of service. Affected from v3.7.0 (when Xtensa MPU userspace support was added) through v4.4.0. The fix changes the default to -EINVAL (deny by default), adds an explicit size_add_overflow check, and sets the success value only after the full range has been validated.
CVSS v3.1
Score 7.8high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Zephyr OS on Xtensa SoCs built with CONFIG_XTENSA_MPU and CONFIG_USERSPACE, the function arch_buffer_validate() incorrectly defaults to permitting access (return 0) and only denies access inside a loop that probes MPU regions. When the buffer's rounded extent causes a 32-bit address wraparound, the loop does not execute, resulting in an implicit permit without validation. Syscall-layer pre-checks do not catch this specific wraparound condition. Consequently, an unprivileged user-mode thread can supply a crafted buffer to syscalls that validate user buffers, causing the kernel to read or write memory it should not access. This leads to information disclosure, memory corruption, privilege escalation, and denial of service. The vulnerability affects Zephyr versions from 3.7.0 (when Xtensa MPU userspace support was added) through 4.4.0. The fix changes the default return value to -EINVAL (deny by default), adds explicit overflow checks, and sets success only after full validation.
Potential Impact
An attacker with unprivileged user-mode access on affected Zephyr OS versions can bypass memory access validation checks for user-supplied buffers. This allows unauthorized kernel memory disclosure, corruption, privilege escalation, and denial of service. The vulnerability affects systems running on Xtensa SoCs with MPU and userspace enabled, potentially compromising system integrity and confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix changes the default validation result to deny access, adds explicit overflow checks, and ensures full buffer validation before permitting access. Until an official patch or update is available, avoid running untrusted user-mode code on affected Zephyr versions with Xtensa MPU userspace enabled.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:25:31.939Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a56533f68715ace43bba7bf
Added to database: 07/14/2026, 15:18:23 UTC
Last enriched: 07/14/2026, 15:38:11 UTC
Last updated: 07/15/2026, 02:16:35 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.