Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-10665— Heap buffer overflow on WireGuard receive path via unbounded incoming packet length

CVSS 7.4 · High

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 1

VendorProductVersion RangeStatus
zephyrprojectzephyr4.4.0< 4.5.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-10665

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Heap buffer overflow on WireGuard receive path via unbounded incoming packet length
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call net_buf_linearize(buf->data, data_len, pkt->buffer, ..., data_len) passed the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst_len) bound. data_len is derived from the received UDP datagram length and is only lower-bounded by wg_ctrl_recv() (no upper bound). When data_len exceeds CONFIG_WIREGUARD_BUF_LEN — e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it — the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to pass net_buf_max_len(buf) as the destination capacity.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存写
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
zephyrprojectzephyr 4.4.0 ~ 4.5.0 -

II. Public POCs for CVE-2026-10665

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-10665

登录查看更多情报信息。

Patches & Fixes for CVE-2026-10665 (1)

Vendor Advisories for CVE-2026-10665 (1)

Same Patch Batch · zephyrproject · 2026-07-12 · 6 CVEs total

CVE-2026-106668.1 HIGHStack buffer overflow in `net_ipaddr_parse()` IPv4 address-with-port parsing in `subsys/ne
CVE-2026-106677.8 HIGHSMP use-after-free in Zephyr `CONFIG_USERSPACE` dynamic kernel-object tracking, reachable
CVE-2026-106636.1 MEDIUMUse-after-free / double-free of the root USB device in the experimental USB host stack
CVE-2026-106645.0 MEDIUMOut-of-bounds write in nRF70 Wi-Fi driver power-save event handler (unbounded TWT flow cou
CVE-2026-106682.4 LOWHost-triggerable control-endpoint wedge (DoS) in Nuvoton NuMaker HSUSBD UDC driver

IV. Related Vulnerabilities

V. Comments for CVE-2026-10665

No comments yet


Leave a comment