{"id":"CVE-2026-10665","summary":"Heap buffer overflow on WireGuard receive path via unbounded incoming packet length","details":"In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wg_process_data_message() in wg_crypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIG_WIREGUARD_BUF_LEN bytes before decryption. The call net_buf_linearize(buf-\u003edata, data_len, pkt-\u003ebuffer, ..., data_len) passed the attacker-derived data_len as both the destination capacity and the copy length, defeating the function's internal len = min(len, dst_len) bound. data_len is derived from the received UDP datagram length and is only lower-bounded by wg_ctrl_recv() (no upper bound). When data_len exceeds CONFIG_WIREGUARD_BUF_LEN — e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it — the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit data_len \u003e CONFIG_WIREGUARD_BUF_LEN rejection and corrects the linearize call to pass net_buf_max_len(buf) as the destination capacity.","aliases":["GHSA-3wqm-wgx2-9367"],"modified":"2026-07-16T03:48:09.881666758Z","published":"2026-07-12T16:16:49.648Z","database_specific":{"cna_assigner":"zephyr","cwe_ids":["CWE-787"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10665.json","unresolved_ranges":[{"extracted_events":[{"introduced":"4.4.0"},{"fixed":"4.5.0"}],"source":"AFFECTED_FIELD"}]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10665.json"},{"type":"ADVISORY","url":"https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3wqm-wgx2-9367"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10665"},{"type":"FIX","url":"https://github.com/zephyrproject-rtos/zephyr/commit/6d8bb28dc9064e05e52b5a00b2998ecc663e38cb"},{"type":"PACKAGE","url":"https://github.com/zephyrproject-rtos/zephyr"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zephyrproject-rtos/zephyr","events":[{"introduced":"0"},{"fixed":"6d8bb28dc9064e05e52b5a00b2998ecc663e38cb"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v4.4.0","v4.4.0-rc3","v4.4.0-rc2","v4.4.0-rc1","v4.3.0","v4.3.0-rc3","v4.3.0-rc2","v4.3.0-rc1","v4.2.0","v4.2.0-rc3","v4.2.0-rc2","v4.2.0-rc1","v4.1.0","v4.1.0-rc3","v4.1.0-rc2","v4.1.0-rc1","v4.0.0","v4.0.0-rc3","v4.0.0-rc2","v4.0.0-rc1","v3.7.0","v3.7.0-rc3","v3.7.0-rc2","v3.7.0-rc1","v3.6.0","v3.6.0-rc3","v3.6.0-rc2","v3.6.0-rc1","zephyr-v3.5.0","v3.5.0","v3.5.0-rc3","v3.5.0-rc2","v3.5.0-rc1","zephyr-v3.4.0","v3.4.0","v3.4.0-rc3","v3.4.0-rc2","v3.4.0-rc1","zephyr-v3.3.0","v3.3.0","v3.3.0-rc3","v3.3.0-rc2","v3.3.0-rc1","zephyr-v3.2.0","v3.2.0","v3.2.0-rc3","v3.2.0-rc2","v3.2.0-rc1","zephyr-v3.1.0","v3.1.0","v3.1.0-rc3","v3.1.0-rc2","v3.1.0-rc1","zephyr-v3.0.0","v3.0.0","v3.0.0-rc3","v3.0.0-rc2","v3.0.0-rc1","v2.7.99","v2.7.0-rc3","v2.7.0-rc2","v2.7.0-rc1","zephyr-v2.6.0","v2.6.0","v2.6.0-rc3","v2.6.0-rc2","v2.6.0-rc1","zephyr-v2.5.0","v2.5.0","v2.5.0-rc4","v2.5.0-rc3","v2.5.0-rc2","v2.5.0-rc1","zephyr-v2.4.0","v2.4.0","v2.4.0-rc3","v2.4.0-rc2","v2.4.0-rc1","zephyr-v2.3.0","v2.3.0","v2.3.0-rc2","v2.3.0-rc1","zephyr-v2.1.0","v2.1.0","zephyr-v2.2.0","v2.2.0","v2.2.0-rc3","v2.2.0-rc2","v2.2.0-rc1","v2.1.0-rc3","v2.1.0-rc2","v2.1.0-rc1","zephyr-v2.0.0","v2.0.0","v2.0.0-rc3","v2.0.0-rc2","v2.0.0-rc1","zephyr-v1.14.0","v1.14.0","v1.14.0-rc3","v1.14.0-rc2","v1.14.0-rc1","zephyr-v1.13.0","v1.13.0","v1.13.0-rc3","v1.13.0-rc2","v1.13.0-rc1","zephyr-v1.12.0","v1.12.0","v1.12.0-rc3","v1.12.0-rc2","v1.12.0-rc1","zephyr-v1.11.0","v1.11.0","v1.11.0-rc3","v1.11.0-rc2","v1.11.0-rc1","zephyr-v1.10.0","v1.10.0","v1.10.0-rc3","v1.10.0-rc2","v1.10.0-rc1","zephyr-v1.9.0","v1.9.0","v1.9.0-rc4","v1.9.0-rc3","v1.9.0-rc2","v1.9.0-rc1","v1.8.99","zephyr-v1.5.0","v1.5.0","v1.7.99","v1.6.99","v1.5.0-rc4","v1.5.0-rc3","v1.5.0-rc2","v1.5.0-rc1","v1.5.0-rc0","zephyr-v1.4.0","v1.4.0","v1.4.0-rc3","v1.4.0-rc2","v1.4.0-rc1","zephyr-v1.3.0","v1.3.0","v1.3.0-rc2","v1.3.0-rc1","zephyr-v1.2.0","v1.2.0","v1.2.0-rc2","v1.2.0-rc1","zephyr-v1.1.0","v1.1.0","v1.1.0-rc1","zephyr-v1.0.0","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10665.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}