CVE-2026-10673

zephyrproject · zephyr

Memory safety vulnerabilities in the Zephyr ADIN2111/ADIN1110 Ethernet driver allow for potential memory corruption or unauthorized data access.

Executive summary

Memory safety flaws in the Zephyr Ethernet driver expose the system to potential corruption and unauthorized access, necessitating an immediate update to the latest version.

Vulnerability

This issue involves memory safety errors (CWE-787, CWE-125) within the ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver. These flaws allow an attacker with adjacent network access to trigger memory corruption or read out-of-bounds memory, which could lead to system instability or arbitrary code execution.

Business impact

Given the CVSS score of 8.3, this vulnerability poses a significant risk to systems relying on Zephyr for network communications. Exploitation could result in a complete compromise of the embedded device, leading to service disruption or the exfiltration of sensitive data handled by the RTOS.

Remediation

Immediate Action: Update the Zephyr RTOS to version 4.5.0 or later to patch the vulnerable Ethernet driver.

Proactive Monitoring: Monitor network traffic for malformed frames or unexpected behavior in devices utilizing the ADIN2111/ADIN1110 hardware interfaces.

Compensating Controls: Isolate devices using the affected driver to a trusted, restricted network segment to prevent adjacent network attackers from reaching the vulnerable interface.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Due to the existence of a proof-of-concept and the critical nature of memory corruption vulnerabilities in RTOS environments, users must prioritize the transition to Zephyr version 4.5.0. Failure to update leaves devices exposed to network-based attacks that could result in full system takeover.