CVE-2026-10672 in zephyrinfo

Summary

by MITRE • 07/14/2026

subsys/net/lib/lwm2m/lwm2m_pull_context.c copied the firmware-update Package URI into a fixed static buffer (context.uri, size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN, default 128) with memcpy(context.uri, uri, LWM2M_PACKAGE_URI_LEN), copying exactly the destination size with no length validation. The Firmware-Update object stores the server-supplied Package URI (/5/0/1) in a 255-byte buffer, so a LwM2M management server (or an on-path attacker on a session lacking strong DTLS) can WRITE a URI of 128-254 characters; only the first 128 bytes are then copied into context.uri with no NUL terminator. That buffer is subsequently consumed as a C string by http_parser_parse_url(context.uri, strlen(context.uri), ...), strlen-based CoAP URI-path/PROXY-URI option appends, and lwm2m_parse_peerinfo(), causing an out-of-bounds read of adjacent static memory. The over-read bytes are appended to outbound CoAP requests (information disclosure of adjacent device memory to the server/proxy) and can crash the device (denial of service). The vulnerable copy was introduced by the pull-context refactor (first released in v3.0.0) and is present through v4.4.0; the default-on CONFIG_LWM2M_FIRMWARE_UPDATE_PULL_SUPPORT path is affected. The fix adds a strlen(uri) >= sizeof(context.uri) check returning -ENOMEM and switches to strcpy(), guaranteeing a bounded, NUL-terminated buffer.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability resides in the Lightweight Machine-to-Machine (LwM2M) firmware update pull functionality within the Zephyr RTOS subsystem, specifically in the file subsys/net/lib/lwm2m/lwm2m_pull_context.c. This flaw represents a classic buffer overflow condition that occurs when copying data from an untrusted source into a fixed-size static buffer without proper validation. The implementation uses memcpy to copy the firmware package URI directly from the server-supplied value into a context.uri buffer of size CONFIG_LWM2M_SWMGMT_PACKAGE_URI_LEN, which defaults to 128 bytes. This design creates a dangerous situation where the destination buffer is insufficient to handle potentially longer URIs that can be provided by a malicious LwM2M management server or an attacker intercepting communication on an unsecured DTLS session.

The technical flaw manifests when a server writes a URI of between 128 and 254 characters into the firmware update object's URI field at path /5/0/1, which is stored in a 255-byte buffer. The vulnerable code copies exactly the destination size (128 bytes) without checking if the source URI exceeds this limit, resulting in no null termination of the destination buffer. This condition creates a buffer overflow that extends beyond the intended buffer boundaries, leading to out-of-bounds memory access patterns that are classified under CWE-121 as stack-based buffer overflow. The vulnerability is particularly dangerous because it occurs during the firmware update pull process, which is enabled by default in the CONFIG_LWM2M_FIRMWARE_UPDATE_PULL_SUPPORT configuration option.

The operational impact of this vulnerability spans multiple security domains and can result in both information disclosure and denial of service conditions. When the malformed URI is processed through subsequent functions like http_parser_parse_url that rely on strlen() for string length determination, the out-of-bounds read accesses adjacent static memory regions. This memory disclosure can expose sensitive device information including cryptographic keys, credentials, or internal state data to the LwM2M server or any proxy in the communication path. Additionally, the improper memory access patterns can cause the device to crash during CoAP request construction, leading to denial of service conditions that disrupt legitimate device operations and potentially compromise device availability for critical firmware updates.

The vulnerability affects all versions from v3.0.0 through v4.4.0 where the pull-context refactor was introduced, making it a long-standing issue in the Zephyr RTOS ecosystem. The attack vector requires either a compromised LwM2M management server or an active man-in-the-middle position on an unencrypted DTLS session, but once exploited, the consequences can be severe for device security and reliability. The fix implemented addresses this by adding a length validation check that compares strlen(uri) against sizeof(context.uri) and returns -ENOMEM when the source URI would exceed the destination buffer capacity. This approach prevents the overflow condition from occurring in the first place by rejecting oversized URIs before any copying operation takes place, while also switching from memcpy to strcpy for guaranteed null termination. This remediation aligns with ATT&CK technique T1059.007 for command and scripting interpreter and addresses the underlying memory corruption vulnerability through proper input validation and bounds checking as recommended in secure coding practices and industry standards for embedded systems security.

Responsible

Zephyr

Reservation

06/02/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!