CVE-2026-26399

Name of the Vulnerable Software and Affected Versions Arduino Core STM32 versions prior to 1.7.0

Description A stack-use-after-return issue occurs when the pwm start() function allocates a TIM HandleTypeDef structure on the stack and passes its address to HAL initialization routines, which then store it in a global timer handle registry. Once the function returns, interrupt service routines may dereference this dangling pointer, leading to memory corruption.

Recommendations Update to version 1.7.0 or later.