CVE-2026-10665

zephyrproject · zephyr

A buffer overflow vulnerability in the WireGuard subsystem of Zephyr RTOS 4.4.0 allows remote attackers to cause potential integrity or availability impacts.

Executive summary

A high-severity buffer overflow in the Zephyr RTOS WireGuard subsystem could allow remote attackers to compromise system integrity or availability.

Vulnerability

This is a Buffer Overflow (CWE-787) vulnerability located in the wg_process_data_message() function within the WireGuard cryptographic subsystem. An unauthenticated attacker can exploit this via maliciously crafted network packets to cause memory corruption, potentially leading to system instability or arbitrary code execution.

Business impact

With a CVSS score of 7.4, this vulnerability poses a serious risk to embedded devices running Zephyr RTOS. Because the flaw exists in the network stack, it is remotely exploitable, which could lead to a complete compromise of the device's integrity or result in a Denial of Service (DoS), potentially disrupting critical industrial or IoT operations.

Remediation

Immediate Action: Apply the vendor-provided security updates or backport the fix from the referenced commit to your local Zephyr environment.

Proactive Monitoring: Monitor network traffic for malformed or unexpected WireGuard protocol packets that may indicate an exploitation attempt.

Compensating Controls: If patching is not immediately feasible, isolate devices using Zephyr's WireGuard implementation behind a firewall that inspects and filters traffic to the relevant ports.

Exploitation status

Public Exploit Available: No (Exploit_available: false)

Analyst recommendation

Due to the nature of buffer overflows in kernel-level network stacks, this vulnerability should be treated with high urgency. Developers and system integrators should prioritize updating to the patched version of Zephyr or applying the upstream fix to ensure the robustness of their communication subsystems.