CVE-2026-10645
Received Received - Intake
Out-of-Bounds Read in Zephyr RTOS ext2 Filesystem Parser

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Zephyr Project

Description
Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then copies the name with memcpy without validating the structural relationship between de_rec_len, de_name_len, and the directory block boundary (for example that de_rec_len is non-zero, at least the size of the entry header, and that the record fits within the block). Callers such as find_dir_entry() and ext2_get_direntry() (subsys/fs/ext2/ext2_impl.c) then advance traversal using the unvalidated de_rec_len. A crafted ext2 image can therefore cause an out-of-bounds read from the directory block buffer when a malformed entry near the end of a block triggers an oversized name copy, or a zero-progress infinite loop when de_rec_len == 0. The issue is not reached at mount time but later through directory traversal paths such as pathname lookup, stat/open/unlink/rename, and readdir. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-10645
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.3.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-10645 vulnerability in the Zephyr RTOS affects the ext2 filesystem implementation. The issue arises because the directory-entry parser in Zephyr's ext2 filesystem does not fully validate the structure of on-disk directory entries before processing them.

Specifically, the function ext2_fetch_direntry() fails to properly check the relationship between the directory entry's record length (de_rec_len), name length (de_name_len), and the directory block boundaries. This lack of validation can cause two main problems: an out-of-bounds read from the directory block buffer and an infinite loop during directory traversal when de_rec_len is zero.

The vulnerability is not triggered during filesystem mount but occurs later during directory operations such as pathname lookup, file operations (stat, open, unlink, rename), or reading directory contents.

Impact Analysis

This vulnerability can lead to denial of service conditions by causing infinite loops or faults during directory traversal in the ext2 filesystem.

It can also cause out-of-bounds reads from the directory block buffer, which may result in undefined behavior or crashes.

While code execution has not been demonstrated, the primary realistic threat is denial of service or safety issues when mounting untrusted ext2 images from sources such as removable media, user-provided images, or over-the-air updates.

Detection Guidance

This vulnerability arises from malformed ext2 filesystem images that cause out-of-bounds reads or infinite loops during directory traversal operations such as pathname lookup, stat, open, unlink, rename, or readdir.

Detection involves monitoring for abnormal behavior or crashes when accessing ext2 filesystems, especially those mounted from untrusted media or user-provided images.

Since the issue is triggered during directory traversal, commands that perform directory operations on ext2 mounts can be used to detect the vulnerability's effects, such as:

  • ls -l /path/to/ext2/mount
  • stat /path/to/ext2/mount/somefile
  • find /path/to/ext2/mount -type f
  • cat /path/to/ext2/mount/somefile

If these commands cause infinite loops, crashes, or out-of-bounds read faults, it may indicate the presence of the vulnerability triggered by a crafted ext2 image.

Mitigation Strategies

To mitigate this vulnerability, avoid mounting or accessing ext2 filesystem images from untrusted or user-provided sources such as removable media or OTA updates.

Apply the patches that have been merged into the Zephyr main branch and release branches (v4.4, v4.3, and v3.7) which fix the validation of directory entries in the ext2 filesystem implementation.

If patching immediately is not possible, restrict access to ext2 mounts and monitor for abnormal directory traversal behavior to prevent denial of service.

Compliance Impact

The CVE-2026-10645 vulnerability primarily leads to denial of service and out-of-bounds reads when processing crafted ext2 filesystem images. It does not directly involve unauthorized access to sensitive data or data breaches.

Because the vulnerability affects availability and parser safety rather than confidentiality or integrity of data, its impact on compliance with standards like GDPR or HIPAAβ€”which focus heavily on protecting personal and sensitive informationβ€”is indirect and limited.

However, denial of service conditions caused by this vulnerability could potentially disrupt systems that handle regulated data, which might affect operational compliance requirements under such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10645. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart