Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-10672: bounds in zephyrproject zephyr

0
High
VulnerabilityCVE-2026-10672cvecve-2026-10672
Published: 07/14/2026 (07/14/2026, 15:02:04 UTC)
Source: CVE Database V5
Vendor/Project: zephyrproject
Product: zephyr

Description

subsys/net/lib/lwm2m/lwm2m_pull_context.c copied the firmware-update Package URI into a fixed static buffer (context.uri, size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN, default 128) with memcpy(context.uri, uri, LWM2M_PACKAGE_URI_LEN), copying exactly the destination size with no length validation. The Firmware-Update object stores the server-supplied Package URI (/5/0/1) in a 255-byte buffer, so a LwM2M management server (or an on-path attacker on a session lacking strong DTLS) can WRITE a URI of 128-254 characters; only the first 128 bytes are then copied into context.uri with no NUL terminator. That buffer is subsequently consumed as a C string by http_parser_parse_url(context.uri, strlen(context.uri), ...), strlen-based CoAP URI-path/PROXY-URI option appends, and lwm2m_parse_peerinfo(), causing an out-of-bounds read of adjacent static memory. The over-read bytes are appended to outbound CoAP requests (information disclosure of adjacent device memory to the server/proxy) and can crash the device (denial of service). The vulnerable copy was introduced by the pull-context refactor (first released in v3.0.0) and is present through v4.4.0; the default-on CONFIG_LWM2M_FIRMWARE_UPDATE_PULL_SUPPORT path is affected. The fix adds a strlen(uri) >= sizeof(context.uri) check returning -ENOMEM and switches to strcpy(), guaranteeing a bounded, NUL-terminated buffer.

CVSS v3.1

Score 8.2high

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Affected software

GitHub Actionsmore threats →cve
zephyr
pkg:github/zephyr
Affected versions
>=3.0.0 <4.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 15:36:35 UTC

Technical Analysis

The vulnerability occurs in subsys/net/lib/lwm2m/lwm2m_pull_context.c where the firmware-update Package URI is copied into a fixed static buffer (context.uri) of size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN (default 128) using memcpy without validating the length of the source URI. The server-supplied Package URI can be up to 255 bytes, but only the first 128 bytes are copied without a null terminator, causing subsequent functions that treat context.uri as a C string to read out-of-bounds memory. This out-of-bounds read leaks adjacent static memory contents appended to outbound CoAP requests, potentially disclosing sensitive information to the server or proxy. Additionally, this can cause device crashes resulting in denial of service. The vulnerability was introduced in version 3.0.0 and is present through 4.4.0. The fix involves checking that the URI length is less than the buffer size and using strcpy to guarantee a null-terminated string, preventing out-of-bounds reads.

Potential Impact

An unauthenticated network attacker or an on-path attacker on a session without strong DTLS can supply a crafted Package URI that triggers an out-of-bounds read of adjacent device memory. This leads to information disclosure of potentially sensitive memory contents to the attacker. Additionally, the malformed buffer can cause device crashes, resulting in denial of service. The vulnerability does not allow code execution or integrity compromise but poses a confidentiality and availability risk.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix adds a length check and ensures null termination of the buffer to prevent out-of-bounds reads. Until an official patch or update is applied, avoid exposing the LwM2M firmware update service to untrusted networks or ensure strong DTLS protection to prevent on-path attackers from injecting malicious URIs.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
zephyr
Date Reserved
2026-06-02T15:25:35.843Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a56533f68715ace43bba7cb

Added to database: 07/14/2026, 15:18:23 UTC

Last enriched: 07/14/2026, 15:36:35 UTC

Last updated: 07/15/2026, 00:27:40 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses