CVE-2026-26399
Received Received - Intake
Stack Use-After-Return in Arduino_Core_STM32 pwm_start() Causes Memory Corruption

Publication date: 2026-04-20

Last updated on: 2026-04-22

Assigner: MITRE

Description
A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26399
EUVD
EUVD-2026-23912
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
arduino arduino_core_stm32 to 1.7.0 (exc)
stm32duino arduino_core_stm32 to 1.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CWE-562 A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26399 is a stack-use-after-return vulnerability in the Arduino_Core_STM32 library versions prior to 1.7.0. The issue occurs in the pwm_start() function, which allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines. This address is stored in a global timer handle registry. After pwm_start() returns, the stack memory for this structure is reclaimed, but interrupt service routines may still dereference this now-invalid pointer, causing memory corruption.

This vulnerability involves a dangling pointer referencing stack memory that has been freed, leading to undefined behavior and potential system instability.

Impact Analysis

The vulnerability can lead to memory corruption and undefined behavior in affected systems. Potential impacts include Denial of Service conditions such as system crashes or HardFault exceptions.

Under certain memory layouts and control conditions, it may also allow for arbitrary code execution, depending on how the vulnerable library is integrated and how attacker-controlled inputs influence stack reuse and interrupt timing.

Detection Guidance

This vulnerability is a stack-use-after-return issue in the Arduino_Core_STM32 library affecting versions prior to 1.7.0. Detection involves analyzing firmware using this library for crashes, HardFaults, or memory corruption related to timer interrupt service routines.

Since the issue arises from the pwm_start() function allocating a stack variable whose pointer is stored globally and later dereferenced asynchronously, detection can include monitoring for abnormal behavior or crashes in STM32-based firmware using this library.

Specific commands are not provided in the available resources, but general approaches include:

  • Using debugging tools to monitor for HardFault exceptions or crashes during timer interrupts.
  • Performing static code analysis or firmware fuzzing targeting the pwm_start() function and timer handle usage.
  • Checking the version of Arduino_Core_STM32 library used in your firmware to identify if it is older than 1.7.0.
Mitigation Strategies

The primary mitigation step is to upgrade the Arduino_Core_STM32 library to version 1.7.0 or later, where the vulnerability has been fixed by refactoring the timer management design to avoid using stack-based timer handle objects.

If upgrading immediately is not possible, consider:

  • Avoiding use of the vulnerable pwm_start() function or replacing it with a safe alternative.
  • Reviewing and testing firmware for stability under timer interrupts to detect potential crashes or memory corruption.
  • Implementing additional runtime checks or watchdog timers to recover from faults caused by this issue.
Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-26399 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26399. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart