๐Ÿ” CVE Alert

CVE-2026-10665

HIGH 7.4

Heap buffer overflow on WireGuard receive path via unbounded incoming packet length

CVSS Score
7.4
EPSS Score
0.0%
EPSS Percentile
0th

In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call net_buf_linearize(buf->data, data_len, pkt->buffer, ..., data_len) passed the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst_len) bound. data_len is derived from the received UDP datagram length and is only lower-bounded by wg_ctrl_recv() (no upper bound). When data_len exceeds CONFIG_WIREGUARD_BUF_LEN โ€” e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it โ€” the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to pass net_buf_max_len(buf) as the destination capacity.

CWE CWE-787
Vendor zephyrproject
Product zephyr
Published Jul 12, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for zephyrproject zephyr

Be the first to know when new high vulnerabilities affecting zephyrproject zephyr are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

zephyrproject / zephyr
4.4.0 < 4.5.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/zephyrproject-rtos/zephyr/commit/6d8bb28dc9064e05e52b5a00b2998ecc663e38cb github.com: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3wqm-wgx2-9367