PT-2026-57566 · Zephyrproject · Zephyr
Publicado
2026-07-12
·
Atualizado
2026-07-12
·
CVE-2026-10664
CVSS v3.1
5.0
Média
| Vetor | AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L |
The nRF70 Wi-Fi driver's power-save event handler nrf wifi event proc get power save info() in drivers/wifi/nrf wifi/src/wifi mgmt.c copied TWT (Target Wake Time) flow entries from an nrf wifi umac event power save info event into the fixed-size twt flows[WIFI MAX TWT FLOWS] (8-element) array of a caller-supplied struct wifi ps config, looping over event-provided num twt flows without validating it against WIFI MAX TWT FLOWS or checking event len. When num twt flows exceeds 8, the handler writes past the destination array (which is typically on the caller's stack, e.g. the wifi ps shell command) -- an out-of-bounds write of ~40-byte TWT entries -- and reads twt flow info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET, so reaching the overflow requires the firmware to emit a malformed or out-of-range event; the trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected: builds with CONFIG NRF70 STA MODE on releases through v4.4.0. The fix rejects events with num twt flows > WIFI MAX TWT FLOWS or with event len shorter than the claimed entries, and adds a NULL check on the caller buffer.
Correção
Memory Corruption
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zephyr