CVE-2026-26399
Stack Use-After-Return in Arduino_Core_STM32 pwm_start() Causes Memory Corruption
Publication date: 2026-04-20
Last updated on: 2026-04-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arduino | arduino_core_stm32 | to 1.7.0 (exc) |
| stm32duino | arduino_core_stm32 | to 1.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-562 | A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. |
| CWE-825 | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26399 is a stack-use-after-return vulnerability in the Arduino_Core_STM32 library versions prior to 1.7.0. The issue occurs in the pwm_start() function, which allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines. This address is stored in a global timer handle registry. After pwm_start() returns, the stack memory for this structure is reclaimed, but interrupt service routines may still dereference this now-invalid pointer, causing memory corruption.
This vulnerability involves a dangling pointer referencing stack memory that has been freed, leading to undefined behavior and potential system instability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-26399 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The vulnerability can lead to memory corruption and undefined behavior in affected systems. Potential impacts include Denial of Service conditions such as system crashes or HardFault exceptions.
Under certain memory layouts and control conditions, it may also allow for arbitrary code execution, depending on how the vulnerable library is integrated and how attacker-controlled inputs influence stack reuse and interrupt timing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a stack-use-after-return issue in the Arduino_Core_STM32 library affecting versions prior to 1.7.0. Detection involves analyzing firmware using this library for crashes, HardFaults, or memory corruption related to timer interrupt service routines.
Since the issue arises from the pwm_start() function allocating a stack variable whose pointer is stored globally and later dereferenced asynchronously, detection can include monitoring for abnormal behavior or crashes in STM32-based firmware using this library.
Specific commands are not provided in the available resources, but general approaches include:
- Using debugging tools to monitor for HardFault exceptions or crashes during timer interrupts.
- Performing static code analysis or firmware fuzzing targeting the pwm_start() function and timer handle usage.
- Checking the version of Arduino_Core_STM32 library used in your firmware to identify if it is older than 1.7.0.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Arduino_Core_STM32 library to version 1.7.0 or later, where the vulnerability has been fixed by refactoring the timer management design to avoid using stack-based timer handle objects.
If upgrading immediately is not possible, consider:
- Avoiding use of the vulnerable pwm_start() function or replacing it with a safe alternative.
- Reviewing and testing firmware for stability under timer interrupts to detect potential crashes or memory corruption.
- Implementing additional runtime checks or watchdog timers to recover from faults caused by this issue.