CVE-2026-10642
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Zephyr Project

Description
The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's level-transition TX-interrupt behavior. When CTS hardware flow control is enabled (devicetree hw-flow-control or runtime UART_CFG_FLOW_CTRL_RTS_CTS) and the wired serial peer de-asserts CTS, the controller stops draining the TX FIFO; pl011_fifo_fill() then returns 0 on every call while the application still has pending data and therefore never disables the TX interrupt. The loop condition never clears, so the thread that called uart_irq_tx_enable() (e.g. h4_send() in the Bluetooth HCI H4 driver) spins indefinitely, hanging the executing context and stalling the transport β€” a denial of service (CWE-835). An attacker controlling the device attached to the UART's CTS line can trigger the hang by withholding CTS during transmission. Impact is availability only; there is no memory-safety, confidentiality, or integrity consequence. The vulnerable loop was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-10642
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 4.1.0 (inc) to 4.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Zephyr PL011 UART driver, specifically in the function pl011_irq_tx_enable(). This function contains an unbounded software loop that repeatedly calls an interrupt-driven application callback while the TX interrupt mask bit is set. When CTS hardware flow control is enabled and the connected device de-asserts CTS, the controller stops draining the TX FIFO buffer. As a result, the function pl011_fifo_fill() returns 0 repeatedly while there is still data to send, causing the TX interrupt to never be disabled.

Because the loop condition never clears, the thread that called uart_irq_tx_enable() spins indefinitely, hanging the executing context and stalling the transport. This leads to a denial of service (DoS) condition. An attacker controlling the device attached to the UART's CTS line can trigger this hang by withholding CTS during transmission.

The issue affects Zephyr releases v4.1.0 through v4.4.0 and was introduced in February 2025. The fix involves breaking out of the loop when CTS is blocking and enabling the CTS modem-status interrupt to resume transmission when CTS is re-asserted.

Impact Analysis

This vulnerability impacts the availability of the affected system by causing a denial of service (DoS). Specifically, the system can hang indefinitely during UART transmission if an attacker controls the CTS line and withholds it, causing the transmitting thread to spin endlessly.

There are no impacts on memory safety, confidentiality, or integrity. The main consequence is that the communication over UART stalls, which can disrupt the normal operation of the device relying on this serial communication.

Mitigation Strategies

The vulnerability affects Zephyr PL011 UART driver versions v4.1.0 through v4.4.0 due to an unbounded loop when CTS hardware flow control is enabled and CTS is withheld by the connected device, causing a denial of service.

Immediate mitigation steps include updating the Zephyr project to a version that includes the fix which breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart