This vulnerability involves a stack-use-after-return condition in the Arduino_Core_STM32 library's pwm_start() function. The function allocates a TIM_HandleTypeDef structure on the stack and passes its pointer to HAL initialization routines, which store it in a global timer handle registry. Once pwm_start() returns, the stack memory is no longer valid, but interrupt service routines may still access this dangling pointer, leading to potential memory corruption. The CVSS 3.1 base score is 5.3 (medium severity), reflecting local attack vector, low complexity, low privileges required, no user interaction, and impacts on confidentiality, integrity, and availability at a low level. No official patch or remediation guidance is currently available.

Exploitation of this vulnerability can lead to memory corruption due to dereferencing a dangling pointer by interrupt service routines. This may result in unpredictable behavior, including potential crashes or compromised system stability. The impact affects confidentiality, integrity, and availability at a low level. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid using vulnerable versions of the Arduino_Core_STM32 library or implement additional safeguards to prevent interrupt routines from accessing the invalid pointer. Monitor vendor communications for updates regarding patches or official mitigations.