Overview
CVE-2026-10665 is a high-severity vulnerability in the WireGuard subsystem of the Zephyr real-time operating system. The vulnerability has a CVSS score of 7.4 and is classified as CWE-787, an out-of-bounds write vulnerability. This vulnerability allows a malicious or compromised peer, or an on-path attacker, to cause remote memory corruption and denial of service.
Understanding the Vulnerability / Threat
Root Cause Analysis
The root cause of this vulnerability is an out-of-bounds write in the wg_process_data_message() function in wg_crypto.c. The function linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. However, the call to net_buf_linearize() passes the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal bound checking.
Attack Surface & Vector
This vulnerability is reachable over the network by a malicious or compromised peer, or an on-path attacker driving an established session. The attacker needs to have a valid receiver session index, but not a valid authenticator. The vulnerability is present in the WireGuard implementation shipped in Zephyr 4.4.0.
Exploitation Mechanics — Scenario Walkthrough
Scenario: Compromising a Zephyr Device via CVE-2026-10665
Initial Position: An attacker is in a position to send UDP datagrams to a Zephyr device that has an established WireGuard session.
Triggering the Flaw: The attacker crafts a UDP datagram with a payload length that exceeds the CONFIG_WIREGUARD_BUF_LEN. When the datagram is processed by the wg_process_data_message() function, it triggers the out-of-bounds write.
What Breaks: The underlying memcpy writes past the end of the pool buffer, causing an out-of-bounds write. This occurs before the Poly1305 authentication check, allowing the attacker to corrupt memory without a valid authenticator.
Attacker's Prize: The attacker can cause remote memory corruption and denial of service. With potentially crafted input, the attacker could attempt to execute arbitrary code or escalate privileges.
Real-World Impact
The real-world impact of this vulnerability is significant. An attacker could exploit this vulnerability to cause a denial of service or potentially execute arbitrary code on a vulnerable Zephyr device. This could have serious consequences in industries that rely on Zephyr-based devices, such as automotive, industrial automation, and medical devices.
Detection & Defense
Immediate Mitigations
To mitigate this vulnerability, users should upgrade to Zephyr version 4.5.0 or later. Additionally, users can apply the patch from the Zephyr project's GitHub repository.
Detection Strategies
Defenders can detect exploitation attempts by monitoring network traffic for suspicious UDP datagrams with large payload lengths. They can also monitor system logs for signs of memory corruption or denial of service.
Long-Term Hardening
To prevent similar vulnerabilities in the future, developers should implement robust bound checking and input validation in their code. They should also regularly review and update their dependencies to ensure they have the latest security patches.
Key Takeaways
- CVE-2026-10665 is a high-severity vulnerability in Zephyr's WireGuard subsystem that allows for remote memory corruption and denial of service.
- The vulnerability is caused by an out-of-bounds write in the wg_process_data_message() function.
- Users should upgrade to Zephyr version 4.5.0 or later to mitigate this vulnerability.
- Defenders should monitor network traffic and system logs for signs of exploitation.
- Developers should implement robust bound checking and input validation in their code.
Sources
- National Vulnerability Database (NVD)
- Zephyr project's GitHub repository