CVE-2026-10659 in Zephyrinfo

Summary

by MITRE • 07/07/2026

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara_nand_erase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: find_last_checkblock() invokes find_checkblock(j, mid, &found, NULL), which forwards the NULL pointer into dhara_nand_read(). This path runs during disk_ftl_access_init() -> dhara_map_resume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dhara_set_error() helper. Affects Zephyr v4.4.0, where the driver was introduced.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability described represents a critical kernel memory corruption issue within the Dhara flash translation layer implementation in the Zephyr operating system. This flaw manifests in the disk driver component located at drivers/disk/ftl_dhara.c where the dhara_nand_ callback functions are improperly implemented to write error codes directly to caller-supplied pointers without null checking. The core technical issue stems from the unconditional assignment of error codes through the dhara_error_t err pointer, particularly in functions like dhara_nand_read, dhara_nand_erase, dhara_nand_prog, and dhara_nand_copy where values such as *err = DHARA_E_ECC are written without verifying that the pointer is valid.

During normal operation, when the FTL disk initialization process begins through disk_ftl_access_init() which calls dhara_map_resume(), the upstream Dhara library executes a journal-resume binary search algorithm. This process specifically invokes find_last_checkblock() which in turn calls find_checkblock(j, mid, &found, NULL) passing a null pointer as the error parameter. The NULL pointer gets forwarded through the callback chain into dhara_nand_read() and other related functions, creating a scenario where the driver attempts to write error information to memory location zero. This direct dereferencing of a null pointer causes immediate kernel faulting and system denial of service, effectively crashing the operating system.

The operational impact of this vulnerability extends beyond simple system crashes as it creates a condition where an attacker can influence the NAND medium's health through various means including media wear patterns, induced hardware faults, or by crafting specific corrupted on-flash images. This makes the vulnerability exploitable in scenarios where adversaries can manipulate the underlying storage medium to trigger the error path during normal system initialization. The vulnerability affects Zephyr v4.4.0 and later versions where this driver was first introduced, making it a persistent threat across multiple releases of the operating system.

The root cause aligns with CWE-476 which defines NULL pointer dereference conditions, while the exploitation technique follows ATT&CK tactics including privilege escalation through kernel exploitation and denial of service via system crash. The fix implemented addresses this by routing all error assignments through a library-provided NULL-safe dhara_set_error() helper function that properly handles null pointer conditions. This mitigation approach ensures that error codes are only written when valid pointers exist, preventing the kernel from attempting to access memory location zero during the critical initialization phase of flash storage management.

The vulnerability demonstrates a classic example of improper error handling in embedded systems where the assumption about parameter validity leads to catastrophic system failures. The design flaw specifically occurs in the boundary between user-space and kernel-space error reporting mechanisms within the flash translation layer, creating an attack surface that can be leveraged for both availability attacks and potentially more sophisticated exploitation techniques depending on the system's security posture. This type of vulnerability is particularly concerning in embedded systems where recovery mechanisms may be limited and system uptime is critical for operational integrity.

Responsible

Zephyr

Reservation

06/02/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!