CVE-2026-10665
Received Received - Intake

Buffer Overflow in Zephyr WireGuard Subsystem

Vulnerability report for CVE-2026-10665, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: Zephyr Project

Description

In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call net_buf_linearize(buf->data, data_len, pkt->buffer, ..., data_len) passed the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst_len) bound. data_len is derived from the received UDP datagram length and is only lower-bounded by wg_ctrl_recv() (no upper bound). When data_len exceeds CONFIG_WIREGUARD_BUF_LEN β€” e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it β€” the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data_len > CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to pass net_buf_max_len(buf) as the destination capacity.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr 4.4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Zephyr's WireGuard subsystem, specifically in the function wg_process_data_message(). It improperly handles the length of incoming transport-data payloads by using the attacker-controlled data length as both the destination buffer capacity and the copy length without proper upper bound checks.

Because the data length is derived from the received UDP datagram and is not properly limited, if it exceeds the configured buffer size (CONFIG_WIREGUARD_BUF_LEN), a buffer overflow occurs. This leads to an out-of-bounds write before authentication checks, allowing a malicious or compromised peer to cause remote memory corruption.

The vulnerability can be triggered remotely by sending specially crafted packets that exceed the buffer size, potentially causing denial of service or other memory corruption effects.

Impact Analysis

This vulnerability can lead to remote memory corruption in the Zephyr RTOS WireGuard implementation, which can cause a reliable denial of service (system crash or reboot).

In some cases, depending on the memory layout, it might be possible for an attacker to execute arbitrary code, although this is less certain.

The attack requires a valid receiver session index, so it is reachable by a malicious or compromised peer or an on-path attacker during an established session.

Overall, the impact includes system instability, potential service disruption, and in worst cases, possible remote code execution.

Detection Guidance

This vulnerability can be detected by monitoring for error logs related to WireGuard packet processing that indicate oversized packets exceeding the configured buffer length (CONFIG_WIREGUARD_BUF_LEN). The system logs errors and updates invalid packet statistics when such packets are rejected.

Since the vulnerability involves packets with transport-data payloads larger than the buffer size, network monitoring tools can be used to detect unusually large UDP packets sent to the WireGuard UDP listener port.

Suggested commands include checking system logs for WireGuard errors and using packet capture tools to filter large UDP packets targeting WireGuard.

  • Check system logs for WireGuard EMSGSIZE errors: sudo journalctl -u zephyr-wireguard | grep EMSGSIZE
  • Capture large UDP packets on the WireGuard port (default 51820): sudo tcpdump -i any udp port 51820 and greater 1500
  • Use Zephyr-specific debug or statistics commands to check invalid packet counters if available.
Mitigation Strategies

The immediate mitigation step is to update the Zephyr RTOS to a version that includes the fix for this vulnerability, which adds a check to reject incoming WireGuard packets that exceed the configured buffer length (CONFIG_WIREGUARD_BUF_LEN).

If updating is not immediately possible, consider restricting network exposure of the WireGuard UDP listener to trusted peers only, reducing the risk of receiving malicious oversized packets.

Additionally, ensure that the CONFIG_WIREGUARD_BUF_LEN is set appropriately, ideally not lower than the network MTU, to prevent buffer overflows caused by legitimate large packets.

  • Apply the patch or upgrade Zephyr to a version including commit 6d8bb28dc9064e05e52b5a00b2998ecc663e38cb.
  • Restrict UDP port exposure for WireGuard to trusted networks or peers.
  • Verify and configure CONFIG_WIREGUARD_BUF_LEN to be at least the network MTU size.
Compliance Impact

The vulnerability in Zephyr's WireGuard subsystem allows remote memory corruption and denial of service, which could impact the availability and integrity of systems using the affected software.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities that lead to denial of service or potential unauthorized code execution can affect compliance by undermining system security controls required by these regulations.

Specifically, if an attacker exploits this vulnerability to disrupt services or compromise system integrity, it could lead to violations of data protection and security requirements mandated by regulations like GDPR and HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart