๐Ÿ” CVE Alert

CVE-2026-10659

MEDIUM 4.7

NULL pointer dereference in Zephyr Dhara FTL disk driver on flash read error during journal resume

CVSS Score
4.7
EPSS Score
0.0%
EPSS Percentile
0th

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara_nand_erase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: find_last_checkblock() invokes find_checkblock(j, mid, &found, NULL), which forwards the NULL pointer into dhara_nand_read(). This path runs during disk_ftl_access_init() -> dhara_map_resume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dhara_set_error() helper. Affects Zephyr v4.4.0, where the driver was introduced.

CWE CWE-476
Vendor zephyrproject
Product zephyr
Published Jul 7, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for zephyrproject zephyr

Be the first to know when new medium vulnerabilities affecting zephyrproject zephyr are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

zephyrproject / zephyr
4.4.0 < 4.5.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/zephyrproject-rtos/zephyr/commit/a8371b0d4719efe37a66e2abb618ad9b81792212 github.com: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-q28v-3729-f82g