CVE-2026-10659
Awaiting Analysis Awaiting Analysis - Queue

Null Pointer Dereference in Zephyr FTL Disk Driver

Vulnerability report for CVE-2026-10659, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Zephyr Project

Description

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DHARA_E_ECC in dhara_nand_read, and similar in dhara_nand_erase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: find_last_checkblock() invokes find_checkblock(j, mid, &found, NULL), which forwards the NULL pointer into dhara_nand_read(). This path runs during disk_ftl_access_init() -> dhara_map_resume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dhara_set_error() helper. Affects Zephyr v4.4.0, where the driver was introduced.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10659 is a NULL pointer dereference vulnerability in the Zephyr RTOS Dhara Flash Translation Layer (FTL) disk driver. The vulnerability occurs because the driver writes an error code to a caller-supplied error pointer without checking if it is NULL. During the journal resume process, the upstream Dhara library calls these callbacks with a NULL error pointer, which leads the driver to dereference and write to NULL when a flash read error happens. This causes a kernel fault and results in a denial of service.

The issue is triggered by flash read errors such as uncorrectable ECC errors, bad blocks, or controller errors, which can be caused by media wear, induced faults, or corrupted on-flash images. The vulnerability affects Zephyr version 4.4.0, where the driver was introduced, and was fixed by routing error assignments through a NULL-safe helper function.

Impact Analysis

This vulnerability can cause a kernel fault leading to a denial of service (DoS) on devices running the affected Zephyr RTOS version 4.4.0. Specifically, when a flash read error occurs during disk initialization or mounting, the system may crash due to the NULL pointer dereference. This can disrupt normal device operation and availability.

The vulnerability requires local access to the device but does not require elevated privileges or user interaction to be triggered. The fault depends on the state of the NAND flash medium, which can be influenced by natural wear, induced faults, or maliciously crafted flash images.

Detection Guidance

This vulnerability is a NULL pointer dereference in the Zephyr RTOS Dhara FTL disk driver that causes a kernel fault and denial of service when a flash read error occurs during journal resume.

Detection would involve monitoring for kernel faults or crashes related to the Dhara FTL disk driver, especially during disk initialization or mounting phases.

Since the issue is triggered by flash read errors on NAND media, checking system logs for kernel oops or panic messages related to the Dhara driver or flash errors could help identify the problem.

No specific commands or network detection methods are provided in the available resources.

Mitigation Strategies

The immediate mitigation is to upgrade the Zephyr RTOS to version 4.5.0 or later, where the vulnerability has been fixed.

The fix involves replacing direct error pointer assignments with the NULL-safe dhara_set_error() helper to prevent NULL pointer dereferences.

Until the upgrade is applied, avoid using the affected Dhara FTL disk driver or ensure that the NAND media is healthy and not prone to induced faults or corrupted images that could trigger the issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart