PT-2026-57567 · Zephyrproject · Zephyr

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-10665

CVSS v3.1

7.4

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg process data message() in wg crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG WIREGUARD BUF LEN bytes before decryption. The call net buf linearize(buf->data, data len, pkt->buffer, ..., data len) passed the attacker-derived data len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst len) bound. data len is derived from the received UDP datagram length and is only lower-bounded by wg ctrl recv() (no upper bound). When data len exceeds CONFIG WIREGUARD BUF LEN — e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it — the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data len > CONFIG WIREGUARD BUF LEN rejection and corrects the linearize call to pass net buf max len(buf) as the destination capacity.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10665

Affected Products

Zephyr