CVE-2026-10664
Received Received - Intake

Buffer Overflow in nRF70 Wi-Fi Driver

Vulnerability report for CVE-2026-10664, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: Zephyr Project

Description

The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c copied TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixed-size twt_flows[WIFI_MAX_TWT_FLOWS] (8-element) array of a caller-supplied struct wifi_ps_config, looping over event-provided num_twt_flows without validating it against WIFI_MAX_TWT_FLOWS or checking event_len. When num_twt_flows exceeds 8, the handler writes past the destination array (which is typically on the caller's stack, e.g. the wifi ps shell command) -- an out-of-bounds write of ~40-byte TWT entries -- and reads twt_flow_info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET, so reaching the overflow requires the firmware to emit a malformed or out-of-range event; the trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected: builds with CONFIG_NRF70_STA_MODE on releases through v4.4.0. The fix rejects events with num_twt_flows > WIFI_MAX_TWT_FLOWS or with event_len shorter than the claimed entries, and adds a NULL check on the caller buffer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nordic_semiconductor nrf_wifi to 4.4.0 (inc)
zephyrproject zephyr to 4.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the nRF70 Wi-Fi driver's power-save event handler function called nrf_wifi_event_proc_get_power_save_info(). The function copies Target Wake Time (TWT) flow entries from an event into a fixed-size array without properly validating the number of flows against the array's maximum capacity (8 entries).

When the number of TWT flows exceeds this limit, the function writes beyond the bounds of the destination array, causing an out-of-bounds write of approximately 40 bytes. It also reads beyond the event buffer, leading to memory corruption.

The event triggering this overflow is sent by the nRF70 co-processor firmware in response to a host-initiated power-save GET request. Exploiting this requires the firmware to send a malformed or out-of-range event, which is a trusted boundary scenario rather than a direct remote attack.

This vulnerability can corrupt stack memory, including return addresses or local variables, and can cause secondary out-of-bounds reads and potential memory disclosure, especially when the corrupted data is later processed by shell commands.

Impact Analysis

This vulnerability can lead to memory corruption through out-of-bounds writes and reads in the Wi-Fi driver's power-save event handler.

  • It can overwrite adjacent stack memory, potentially corrupting return addresses or local variables.
  • The corrupted memory can cause unexpected behavior, crashes, or denial of service in the affected system.
  • Secondary out-of-bounds reads caused by processing corrupted data may lead to information disclosure.
  • Exploitation requires a malformed event from the trusted co-processor firmware, so remote exploitation is limited but possible through indirect influence.
Detection Guidance

This vulnerability involves an out-of-bounds write and read in the nRF70 Wi-Fi driver's power-save event handler due to unchecked num_twt_flows values. Detection would involve monitoring for malformed power-save events with num_twt_flows exceeding the maximum allowed (8).

Since the overflow occurs in the handling of firmware-supplied events, detection on the network level is indirect and complex. However, you can look for abnormal or malformed power-save GET responses from the nRF70 co-processor firmware.

Commands to detect this vulnerability specifically are not provided in the available resources. However, monitoring logs for error messages related to power-save event processing or unexpected behavior in the wifi_ps_config structure (such as crashes or memory corruption symptoms) could help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to apply the patch that validates the num_twt_flows value against the maximum allowed (WIFI_MAX_TWT_FLOWS = 8) and checks the event length before processing the power-save event.

If the validation fails, the handler logs an error and returns early, preventing out-of-bounds memory access and potential memory corruption.

Ensure your system is updated to a Zephyr RTOS version that includes the fix (main branch or v4.4/v4.3 branches). If updating immediately is not possible, consider disabling or restricting the use of the power-save GET command or the affected nRF70 Wi-Fi driver functionality until the patch can be applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10664. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart