CVE-2026-10673
zephyrproject · zephyr
Memory safety vulnerabilities in the Zephyr ADIN2111/ADIN1110 Ethernet driver allow for potential memory corruption or unauthorized data access.
Executive summary
Memory safety flaws in the Zephyr Ethernet driver expose the system to potential corruption and unauthorized access, necessitating an immediate update to the latest version.
Vulnerability
This issue involves memory safety errors (CWE-787, CWE-125) within the ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver. These flaws allow an attacker with adjacent network access to trigger memory corruption or read out-of-bounds memory, which could lead to system instability or arbitrary code execution.
Business impact
Given the CVSS score of 8.3, this vulnerability poses a significant risk to systems relying on Zephyr for network communications. Exploitation could result in a complete compromise of the embedded device, leading to service disruption or the exfiltration of sensitive data handled by the RTOS.
Remediation
Immediate Action: Update the Zephyr RTOS to version 4.5.0 or later to patch the vulnerable Ethernet driver.
Proactive Monitoring: Monitor network traffic for malformed frames or unexpected behavior in devices utilizing the ADIN2111/ADIN1110 hardware interfaces.
Compensating Controls: Isolate devices using the affected driver to a trusted, restricted network segment to prevent adjacent network attackers from reaching the vulnerable interface.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
Due to the existence of a proof-of-concept and the critical nature of memory corruption vulnerabilities in RTOS environments, users must prioritize the transition to Zephyr version 4.5.0. Failure to update leaves devices exposed to network-based attacks that could result in full system takeover.