CVE-2026-10665 in Zephyrinfo

Summary

by MITRE • 07/12/2026

In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call net_buf_linearize(buf->data, data_len, pkt->buffer, ..., data_len) passed the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst_len) bound. data_len is derived from the received UDP datagram length and is only lower-bounded by wg_ctrl_recv() (no upper bound). When data_len exceeds CONFIG_WIREGUARD_BUF_LEN — e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it — the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to pass net_buf_max_len(buf) as the destination capacity.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/12/2026

The vulnerability exists within the Zephyr operating system's WireGuard implementation where the wg_process_data_message function in wg_crypto.c performs an unsafe buffer management operation that leads to a heap-based out-of-bounds write condition. This flaw occurs during the processing of inbound transport data payloads where the system linearizes data into a fixed-size pool buffer defined by CONFIG_WIREGUARD_BUF_LEN configuration parameter. The function utilizes net_buf_linearize with attacker-controlled data length values as both the source copy length and destination capacity parameters, bypassing the intended bounds checking mechanism that should prevent such overflows through its internal min(len, dst_len) logic.

The technical implementation defect stems from the lack of proper upper bounds validation on the data length parameter which originates from the UDP datagram size. The wg_ctrl_recv() function only applies lower bounds checking but allows arbitrarily large values to propagate to the linearization routine, creating a scenario where malicious actors can trigger buffer overflows simply by crafting packets that exceed the configured buffer capacity. When the received data length surpasses the predefined buffer limits, typically occurring in network environments with MTU mismatches or when processing reassembled IPv4/IPv6 fragments, the underlying memcpy operation writes beyond allocated memory boundaries, constituting a classic out-of-bounds write vulnerability classified as CWE-787.

This vulnerability presents significant operational risks as it enables remote code execution or reliable denial of service conditions without requiring authentication for the cryptographic authentication layer. The attack vector allows malicious peers or network attackers positioned in-path to exploit this condition against established WireGuard sessions, making the flaw particularly dangerous in environments where network traffic is not fully trusted. Since the buffer overflow occurs prior to Poly1305 authentication verification, an attacker only needs a valid session index to initiate exploitation, eliminating the need for valid cryptographic signatures. The vulnerability affects Zephyr versions including 4.4.0 and represents a fundamental flaw in the network stack's input validation and memory management practices.

The remediation strategy involves implementing explicit bounds checking to reject data lengths that exceed the configured buffer capacity before attempting any linearization operations. The fix ensures that data_len values greater than CONFIG_WIREGUARD_BUF_LEN are rejected outright, preventing the overflow condition from occurring. Additionally, the net_buf_linearize call is corrected to use net_buf_max_len(buf) as the destination capacity parameter instead of the potentially unsafe data_len value, thereby restoring proper bounds enforcement and protecting against future similar vulnerabilities in the codebase.

This vulnerability demonstrates weaknesses in the ATT&CK framework's T1059.007 technique related to command injection through network protocols, particularly in embedded systems where network stack implementations may lack proper input validation. The flaw also aligns with T1499.004 category focusing on network denial of service attacks, while the memory corruption aspects relate to T1583.002 concerning infrastructure compromise through software supply chain vulnerabilities. Security practitioners should monitor for similar patterns in other network protocol implementations and ensure proper buffer management practices are enforced throughout embedded networking stacks. The fix addresses core security principles from NIST SP 800-160 regarding secure coding practices and defensive programming techniques to prevent buffer overflows in network processing components.

Responsible

Zephyr

Reservation

06/02/2026

Disclosure

07/12/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!