CVE-2026-10664 in zephyrinfo

Summary

by MITRE • 07/12/2026

The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixed-size twt_flows[WIFI_MAX_TWT_FLOWS] (8-element) array of a caller-supplied struct wifi_ps_config, looping over event-provided num_twt_flows without validating it against WIFI_MAX_TWT_FLOWS or checking event_len. When num_twt_flows exceeds 8, the handler writes past the destination array (which is typically on the caller's stack, e.g. the wifi ps shell command) -- an out-of-bounds write of ~40-byte TWT entries -- and reads twt_flow_info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET, so reaching the overflow requires the firmware to emit a malformed or out-of-range event; the trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected: builds with CONFIG_NRF70_STA_MODE on releases through v4.4.0. The fix rejects events with num_twt_flows > WIFI_MAX_TWT_FLOWS or with event_len shorter than the claimed entries, and adds a NULL check on the caller buffer.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/12/2026

The vulnerability exists within the nrf_wifi_event_proc_get_power_save_info() function in the nRF70 Wi-Fi driver's power-save event handler, specifically in the file drivers/wifi/nrf_wifi/src/wifi_mgmt.c. This function processes TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event and copies them into a fixed-size array twt_flows[WIFI_MAX_TWT_FLOWS] within a caller-supplied struct wifi_ps_config. The flaw arises from inadequate input validation where the handler does not verify that the event-provided num_twt_flows parameter remains within the bounds of the fixed-size array, which is limited to 8 elements. The function loops over the event-provided num_twt_flows without performing any boundary checks against WIFI_MAX_TWT_FLOWS or validating the event_len parameter, creating a potential out-of-bounds write condition. This vulnerability represents a classic buffer overflow scenario as defined by CWE-129, where insufficient validation of the length parameter leads to memory corruption.

The operational impact of this vulnerability is significant as it allows for arbitrary memory writes that can overwrite adjacent stack data structures or potentially execute malicious code through stack corruption. The affected array twt_flows is typically located on the caller's stack, making it particularly dangerous when processing the wifi ps shell command which uses this function. Each TWT entry is approximately 40 bytes in size, and when num_twt_flows exceeds the 8-element limit, the handler writes beyond the allocated memory boundaries. Additionally, the code reads twt_flow_info[i] past the event buffer boundary, creating both write and read overflow conditions that can lead to information disclosure or system instability. The trust boundary for this vulnerability is established between the host system and the trusted nRF70 co-processor firmware, where a malformed event from the firmware could trigger the vulnerable code path.

The root cause stems from the absence of proper input validation mechanisms within the power-save event processing logic, which violates fundamental security principles outlined in the ATT&CK framework under technique T1059.001 for command and scripting interpreter. The vulnerability affects all builds configured with CONFIG_NRF70_STA_MODE and is present through version v4.4.0 of the firmware. Since the event originates from the nRF70 co-processor in response to host-initiated power-save GET commands, exploitation requires the firmware to generate a malformed or out-of-range event, making it less directly exploitable but still concerning due to its potential for causing system instability or privilege escalation. The 3-bit TWT flow-id space limits the maximum theoretical flow count to 8, yet the driver fails to enforce this constraint during processing.

The proposed fix addresses this vulnerability by implementing robust input validation that rejects events with num_twt_flows exceeding WIFI_MAX_TWT_FLOWS and validates event_len against the claimed number of entries. This approach directly mitigates the buffer overflow conditions by ensuring that memory operations remain within allocated bounds. The addition of a NULL check on the caller buffer provides an additional layer of protection against dereferencing invalid pointers, which is particularly important in embedded systems where memory corruption can have severe consequences. These defensive programming measures align with the principles of secure coding practices recommended in ISO/IEC 27045 and help prevent similar vulnerabilities from occurring in future implementations while maintaining the functionality of the power-save management features.

The vulnerability demonstrates a critical flaw in privilege boundary enforcement, where trusted firmware components can potentially cause memory corruption in host-side code through malformed event processing. This represents a potential attack vector that could be leveraged by an attacker with control over the co-processor firmware to achieve arbitrary code execution or system compromise. The fix ensures proper validation of all inputs before memory operations are performed, which is essential for maintaining system integrity and preventing cascading failures in embedded wireless communication systems.

Responsible

Zephyr

Reservation

06/02/2026

Disclosure

07/12/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!