PT-2026-57566 · Zephyrproject · Zephyr

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-10664

CVSS v3.1

5.0

Medium

VectorAV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
The nRF70 Wi-Fi driver's power-save event handler nrf wifi event proc get power save info() in drivers/wifi/nrf wifi/src/wifi mgmt.c copied TWT (Target Wake Time) flow entries from an nrf wifi umac event power save info event into the fixed-size twt flows[WIFI MAX TWT FLOWS] (8-element) array of a caller-supplied struct wifi ps config, looping over event-provided num twt flows without validating it against WIFI MAX TWT FLOWS or checking event len. When num twt flows exceeds 8, the handler writes past the destination array (which is typically on the caller's stack, e.g. the wifi ps shell command) -- an out-of-bounds write of ~40-byte TWT entries -- and reads twt flow info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET, so reaching the overflow requires the firmware to emit a malformed or out-of-range event; the trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected: builds with CONFIG NRF70 STA MODE on releases through v4.4.0. The fix rejects events with num twt flows > WIFI MAX TWT FLOWS or with event len shorter than the claimed entries, and adds a NULL check on the caller buffer.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10664

Affected Products

Zephyr