CVE-2026-10642
Modified Modified - Updated After Analysis

Infinite Loop in Zephyr RTOS PL011 UART Driver

Vulnerability report for CVE-2026-10642, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: Zephyr Project

Description

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's level-transition TX-interrupt behavior. When CTS hardware flow control is enabled (devicetree hw-flow-control or runtime UART_CFG_FLOW_CTRL_RTS_CTS) and the wired serial peer de-asserts CTS, the controller stops draining the TX FIFO; pl011_fifo_fill() then returns 0 on every call while the application still has pending data and therefore never disables the TX interrupt. The loop condition never clears, so the thread that called uart_irq_tx_enable() (e.g. h4_send() in the Bluetooth HCI H4 driver) spins indefinitely, hanging the executing context and stalling the transport β€” a denial of service (CWE-835). An attacker controlling the device attached to the UART's CTS line can trigger the hang by withholding CTS during transmission. Because that peer is the device wired to the UART β€” which may be a removable or external module (e.g. an off-board Bluetooth controller on the HCI H4 link) rather than a permanently-bonded on-PCB part β€” the attack vector is scored Adjacent (AV:A) rather than Physical; the security subcommittee should confirm the vector against the specific deployment. Impact is availability only; there is no memory-safety, confidentiality, or integrity consequence. The vulnerable loop was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-13
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 4.1.0 (inc) to 4.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Zephyr PL011 UART driver, specifically in the function pl011_irq_tx_enable(). This function contains an unbounded software loop that repeatedly calls an interrupt-driven application callback while the TX interrupt mask bit is set. When CTS hardware flow control is enabled and the connected device de-asserts CTS, the controller stops draining the TX FIFO buffer. As a result, the function pl011_fifo_fill() returns 0 repeatedly while there is still data to send, causing the TX interrupt to never be disabled.

Because the loop condition never clears, the thread that called uart_irq_tx_enable() spins indefinitely, hanging the executing context and stalling the transport. This leads to a denial of service (DoS) condition. An attacker controlling the device attached to the UART's CTS line can trigger this hang by withholding CTS during transmission.

The issue affects Zephyr releases v4.1.0 through v4.4.0 and was introduced in February 2025. The fix involves breaking out of the loop when CTS is blocking and enabling the CTS modem-status interrupt to resume transmission when CTS is re-asserted.

Impact Analysis

This vulnerability impacts the availability of the affected system by causing a denial of service (DoS). Specifically, the system can hang indefinitely during UART transmission if an attacker controls the CTS line and withholds it, causing the transmitting thread to spin endlessly.

There are no impacts on memory safety, confidentiality, or integrity. The main consequence is that the communication over UART stalls, which can disrupt the normal operation of the device relying on this serial communication.

Mitigation Strategies

The vulnerability affects Zephyr PL011 UART driver versions v4.1.0 through v4.4.0 due to an unbounded loop when CTS hardware flow control is enabled and CTS is withheld by the connected device, causing a denial of service.

Immediate mitigation steps include updating the Zephyr project to a version that includes the fix which breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

Compliance Impact

This vulnerability impacts availability only and does not affect memory safety, confidentiality, or integrity.

Since it does not compromise confidentiality or integrity of data, it does not directly affect compliance with standards and regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the denial of service caused by this vulnerability could indirectly impact system availability requirements in certain regulatory contexts.

Detection Guidance

This vulnerability causes the system to hang or stall the transport when the UART PL011 driver enters an infinite loop due to CTS hardware flow control being withheld by the connected device.

To detect this issue, monitor the UART transmission behavior for stalls or hangs, especially when CTS hardware flow control is enabled.

Since the problem manifests as a thread spinning indefinitely in the function pl011_irq_tx_enable(), you can look for high CPU usage or stuck threads related to UART transmission.

Specific commands depend on your system, but general approaches include:

  • Use system monitoring tools (e.g., top, htop) to identify processes or threads with unusually high CPU usage or stuck states.
  • Use kernel debugging or tracing tools (e.g., ftrace, perf) to trace UART driver function calls and detect repeated calls to pl011_irq_tx_enable() or related callbacks.
  • Check UART driver logs or enable debug logging for the PL011 UART driver to observe repeated TX interrupt callbacks or CTS flow control events.
  • If possible, use UART hardware status registers or tools to monitor CTS line status and TX FIFO drain activity.

There are no specific commands provided in the resources, but these general diagnostic steps can help identify the infinite loop condition caused by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10642. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart