CVE-2026-10672: bounds in zephyrproject zephyr
subsys/net/lib/lwm2m/lwm2m_pull_context.c copied the firmware-update Package URI into a fixed static buffer (context.uri, size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN, default 128) with memcpy(context.uri, uri, LWM2M_PACKAGE_URI_LEN), copying exactly the destination size with no length validation. The Firmware-Update object stores the server-supplied Package URI (/5/0/1) in a 255-byte buffer, so a LwM2M management server (or an on-path attacker on a session lacking strong DTLS) can WRITE a URI of 128-254 characters; only the first 128 bytes are then copied into context.uri with no NUL terminator. That buffer is subsequently consumed as a C string by http_parser_parse_url(context.uri, strlen(context.uri), ...), strlen-based CoAP URI-path/PROXY-URI option appends, and lwm2m_parse_peerinfo(), causing an out-of-bounds read of adjacent static memory. The over-read bytes are appended to outbound CoAP requests (information disclosure of adjacent device memory to the server/proxy) and can crash the device (denial of service). The vulnerable copy was introduced by the pull-context refactor (first released in v3.0.0) and is present through v4.4.0; the default-on CONFIG_LWM2M_FIRMWARE_UPDATE_PULL_SUPPORT path is affected. The fix adds a strlen(uri) >= sizeof(context.uri) check returning -ENOMEM and switches to strcpy(), guaranteeing a bounded, NUL-terminated buffer.
AI Analysis
Technical Summary
The vulnerability occurs in subsys/net/lib/lwm2m/lwm2m_pull_context.c where the firmware-update Package URI is copied into a fixed static buffer (context.uri) of size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN (default 128) using memcpy without validating the length of the source URI. The server-supplied Package URI can be up to 255 bytes, but only the first 128 bytes are copied without a null terminator, causing subsequent functions that treat context.uri as a C string to read out-of-bounds memory. This out-of-bounds read leaks adjacent static memory contents appended to outbound CoAP requests, potentially disclosing sensitive information to the server or proxy. Additionally, this can cause device crashes resulting in denial of service. The vulnerability was introduced in version 3.0.0 and is present through 4.4.0. The fix involves checking that the URI length is less than the buffer size and using strcpy to guarantee a null-terminated string, preventing out-of-bounds reads.
Potential Impact
An unauthenticated network attacker or an on-path attacker on a session without strong DTLS can supply a crafted Package URI that triggers an out-of-bounds read of adjacent device memory. This leads to information disclosure of potentially sensitive memory contents to the attacker. Additionally, the malformed buffer can cause device crashes, resulting in denial of service. The vulnerability does not allow code execution or integrity compromise but poses a confidentiality and availability risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix adds a length check and ensures null termination of the buffer to prevent out-of-bounds reads. Until an official patch or update is applied, avoid exposing the LwM2M firmware update service to untrusted networks or ensure strong DTLS protection to prevent on-path attackers from injecting malicious URIs.
CVE-2026-10672: bounds in zephyrproject zephyr
Description
subsys/net/lib/lwm2m/lwm2m_pull_context.c copied the firmware-update Package URI into a fixed static buffer (context.uri, size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN, default 128) with memcpy(context.uri, uri, LWM2M_PACKAGE_URI_LEN), copying exactly the destination size with no length validation. The Firmware-Update object stores the server-supplied Package URI (/5/0/1) in a 255-byte buffer, so a LwM2M management server (or an on-path attacker on a session lacking strong DTLS) can WRITE a URI of 128-254 characters; only the first 128 bytes are then copied into context.uri with no NUL terminator. That buffer is subsequently consumed as a C string by http_parser_parse_url(context.uri, strlen(context.uri), ...), strlen-based CoAP URI-path/PROXY-URI option appends, and lwm2m_parse_peerinfo(), causing an out-of-bounds read of adjacent static memory. The over-read bytes are appended to outbound CoAP requests (information disclosure of adjacent device memory to the server/proxy) and can crash the device (denial of service). The vulnerable copy was introduced by the pull-context refactor (first released in v3.0.0) and is present through v4.4.0; the default-on CONFIG_LWM2M_FIRMWARE_UPDATE_PULL_SUPPORT path is affected. The fix adds a strlen(uri) >= sizeof(context.uri) check returning -ENOMEM and switches to strcpy(), guaranteeing a bounded, NUL-terminated buffer.
CVSS v3.1
Score 8.2high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability occurs in subsys/net/lib/lwm2m/lwm2m_pull_context.c where the firmware-update Package URI is copied into a fixed static buffer (context.uri) of size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN (default 128) using memcpy without validating the length of the source URI. The server-supplied Package URI can be up to 255 bytes, but only the first 128 bytes are copied without a null terminator, causing subsequent functions that treat context.uri as a C string to read out-of-bounds memory. This out-of-bounds read leaks adjacent static memory contents appended to outbound CoAP requests, potentially disclosing sensitive information to the server or proxy. Additionally, this can cause device crashes resulting in denial of service. The vulnerability was introduced in version 3.0.0 and is present through 4.4.0. The fix involves checking that the URI length is less than the buffer size and using strcpy to guarantee a null-terminated string, preventing out-of-bounds reads.
Potential Impact
An unauthenticated network attacker or an on-path attacker on a session without strong DTLS can supply a crafted Package URI that triggers an out-of-bounds read of adjacent device memory. This leads to information disclosure of potentially sensitive memory contents to the attacker. Additionally, the malformed buffer can cause device crashes, resulting in denial of service. The vulnerability does not allow code execution or integrity compromise but poses a confidentiality and availability risk.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix adds a length check and ensures null termination of the buffer to prevent out-of-bounds reads. Until an official patch or update is applied, avoid exposing the LwM2M firmware update service to untrusted networks or ensure strong DTLS protection to prevent on-path attackers from injecting malicious URIs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:25:35.843Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a56533f68715ace43bba7cb
Added to database: 07/14/2026, 15:18:23 UTC
Last enriched: 07/14/2026, 15:36:35 UTC
Last updated: 07/15/2026, 00:27:40 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.