zephyrproject zephyr up to 4.4.x Power-Save Event wifi_mgmt.c nrf_wifi_event_proc_get_power_save_info num_twt_flows out-of-bounds write
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.8 | $0-$5k | 3.93 |
Summary
A vulnerability was found in zephyrproject zephyr up to 4.4.x. It has been declared as very critical. This affects the function nrf_wifi_event_proc_get_power_save_info of the file drivers/wifi/nrf_wifi/src/wifi_mgmt.c of the component Power-Save Event Handler. The manipulation of the argument num_twt_flows results in out-of-bounds write.
This vulnerability is known as CVE-2026-10664. Attacking locally is a requirement. No exploit is available.
Details
A vulnerability was found in zephyrproject zephyr up to 4.4.x. It has been classified as very critical. Affected is the function nrf_wifi_event_proc_get_power_save_info of the file drivers/wifi/nrf_wifi/src/wifi_mgmt.c of the component Power-Save Event Handler. The manipulation of the argument num_twt_flows with an unknown input leads to a out-of-bounds write vulnerability. CWE is classifying the issue as CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixed-size twt_flows[WIFI_MAX_TWT_FLOWS] (8-element) array of a caller-supplied struct wifi_ps_config, looping over event-provided num_twt_flows without validating it against WIFI_MAX_TWT_FLOWS or checking event_len. When num_twt_flows exceeds 8, the handler writes past the destination array (which is typically on the caller's stack, e.g. the wifi ps shell command) -- an out-of-bounds write of ~40-byte TWT entries -- and reads twt_flow_info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET, so reaching the overflow requires the firmware to emit a malformed or out-of-range event; the trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected: builds with CONFIG_NRF70_STA_MODE on releases through v4.4.0. The fix rejects events with num_twt_flows > WIFI_MAX_TWT_FLOWS or with event_len shorter than the claimed entries, and adds a NULL check on the caller buffer.
The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-10664 since 06/02/2026. The exploitability is told to be easy. The attack needs to be approached locally. The exploitation requires an enhanced level of successful authentication. There are known technical details, but no exploit is available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 07/12/2026).
Upgrading to version 4.5.0 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-43241). VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Type
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.2VulDB Meta Temp Score: 7.8
VulDB Base Score: 8.2
VulDB Temp Score: 7.8
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Out-of-bounds writeCWE: CWE-787 / CWE-119
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: No
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔒
Upgrade: zephyr 4.5.0
Timeline
06/02/2026 CVE reserved07/12/2026 Advisory disclosed
07/12/2026 VulDB entry created
07/12/2026 VulDB entry last update
Sources
Advisory: github.comStatus: Confirmed
CVE: CVE-2026-10664 (🔒)
GCVE (CVE): GCVE-0-2026-10664
GCVE (VulDB): GCVE-100-377880
EUVD: 🔒
Entry
Created: 07/12/2026 18:56Updated: 07/12/2026 22:22
Changes: 07/12/2026 18:56 (57), 07/12/2026 22:22 (1)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.