CVE-2026-10644
Received Received - Intake

Out-of-Bounds Write in Microchip SERCOM-G1 UART Driver

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: Zephyr Project

Description
The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous (DMA) receive path. When uart_rx_enable() is invoked with a one-byte receive buffer (len == 1) and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR starts a single-beat DMA transfer while a received byte is already pending in the SERCOM DATA register. On this SoC the peripheral-triggered DMA start sequencing then writes one byte past the end of the caller-supplied buffer (CWE-787). The overflowed byte's value is the UART RX data supplied by the connected serial peer (adjacent attacker), while its size and location are fixed at one byte immediately after the buffer. Exploitation requires the async UART config (not enabled by default on the in-tree PIC32CM-JH boards) and a consumer that enables RX with a one-byte buffer; impact is limited single-byte memory corruption adjacent to the RX buffer (possible crash / denial of service). The defect shipped in v4.4.0. The fix reads the first byte with the CPU and, for one-byte buffers, performs no DMA at all; for larger buffers it sizes the DMA for the remaining len-1 bytes.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-10644
EUVD
EUVD-2026-39979

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
microchip sercom_g1_uart_driver to 4.5.0 (exc)
microchip sercom_g1_uart_driver 4.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10644 is a moderate-severity vulnerability in the Microchip SERCOM-G1 UART driver used by the PIC32CM-JH SoC family. It involves an out-of-bounds write in the asynchronous (DMA) receive path when uart_rx_enable() is called with a one-byte receive buffer and the asynchronous UART configuration is enabled.

Specifically, the RX-complete interrupt service routine (ISR) triggers a single-beat DMA transfer while a byte is already pending in the UART data register. This causes the DMA to write one byte beyond the end of the provided buffer, resulting in a buffer overflow (CWE-787).

The overflowed byte's value comes from the connected serial peer, and the overflow affects exactly one byte immediately after the buffer. Exploitation requires the async UART configuration to be enabled (which is disabled by default) and a consumer enabling RX with a one-byte buffer.

The impact is limited to single-byte memory corruption adjacent to the RX buffer, which can potentially cause crashes or denial of service.

Impact Analysis

This vulnerability can lead to a single-byte memory corruption adjacent to the receive buffer in the UART driver.

Such memory corruption may cause the affected system to crash or experience denial of service conditions.

However, exploitation requires specific conditions: the asynchronous UART configuration must be enabled and the receive buffer must be set to one byte, which is not the default configuration.

The vulnerability does not affect confidentiality but has low impact on integrity and availability.

Detection Guidance

This vulnerability occurs specifically when the Microchip SERCOM-G1 UART driver is configured with asynchronous UART enabled (CONFIG_UART_MCHP_ASYNC) and the uart_rx_enable() function is called with a one-byte receive buffer (len == 1). Detection involves verifying if your system uses the affected PIC32CM-JH SoC family with this driver and configuration.

To detect the vulnerability on your system, you should check the UART driver configuration and usage patterns, specifically looking for asynchronous UART mode enabled and single-byte RX buffers.

Since the issue is a memory corruption caused by an out-of-bounds DMA write, direct detection on the network is not straightforward. However, monitoring for crashes or denial of service symptoms related to UART communication may indicate exploitation attempts.

Suggested commands or steps to detect the vulnerability include:

  • Check kernel or firmware configuration for CONFIG_UART_MCHP_ASYNC enabled.
  • Audit code or firmware to identify calls to uart_rx_enable() with a one-byte buffer.
  • Monitor system logs for UART-related crashes or errors.
  • Use debugging tools or UART traffic analyzers to observe UART RX buffer sizes and DMA activity.
Mitigation Strategies

Immediate mitigation steps include disabling the asynchronous UART mode (CONFIG_UART_MCHP_ASYNC) if it is not required, as the vulnerability requires this configuration to be enabled.

Avoid using a one-byte receive buffer with uart_rx_enable(), as the vulnerability specifically occurs when len == 1.

Update your Zephyr RTOS to version 4.5.0 or later, where the vulnerability is fixed by reading the first byte with the CPU and avoiding DMA for one-byte buffers.

If updating is not immediately possible, apply the patch from commit 5251d2b which addresses the issue by modifying the RX enable process and handling RX errors more robustly.

Compliance Impact

This vulnerability causes a limited single-byte memory corruption adjacent to the RX buffer, potentially leading to crashes or denial of service. It does not impact confidentiality, as the overflowed byte's value is supplied by the connected serial peer and no sensitive data leakage is indicated.

Since confidentiality remains unaffected and the impact is limited to integrity and availability with low severity, the vulnerability is unlikely to directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting sensitive personal data confidentiality and integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10644. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart