PatchSiren cyber security CVE debrief
CVE-2026-10645 zephyrproject-rtos CVE debrief
CVE-2026-10645 is a medium-severity vulnerability in Zephyr's ext2 directory-entry parser. The issue arises from a lack of full validation of on-disk directory entry structures before copying entry names and advancing traversal states. This can lead to out-of-bounds reads or infinite loops when processing crafted ext2 images. The vulnerability is primarily a denial-of-service (DoS) issue but can also result in out-of-bounds reads under certain conditions. The CVE was published on June 23, 2026, and last modified on the same day. The Common Vulnerability Scoring System (CVSS) score is 4.9, classified as MEDIUM severity.
- Vendor
- zephyrproject-rtos
- Product
- Zephyr
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
This vulnerability affects users of Zephyr who mount ext2 filesystems from untrusted sources. System administrators and developers working with Zephyr-based systems should be aware of this issue, especially if they handle filesystems from external or potentially malicious sources. Given the nature of the vulnerability, which requires a crafted ext2 image to exploit, users who control the sources of filesystem images or who perform thorough validation of such images before mounting may be less impacted.
Technical summary
The vulnerability is located in the ext2 directory-entry parser, specifically in the `ext2_fetch_direntry()` function within `subsys/fs/ext2/ext2_diskops.c`. The code fails to fully validate the directory entry structure before processing it, which can lead to out-of-bounds reads or infinite loops when encountering malformed directory entries. The issue is triggered by a crafted ext2 image and can be exploited through various directory traversal paths such as pathname lookup, stat, open, unlink, rename, and readdir operations. The vulnerability's impact is primarily denial of service (DoS) and information disclosure through out-of-bounds reads.
Defensive priority
This vulnerability should be prioritized for remediation in environments where Zephyr-based systems are used with ext2 filesystems from untrusted sources. Given its medium severity and potential for DoS and information disclosure, applying patches or mitigations is advisable, especially in systems handling filesystems from external sources.
Recommended defensive actions
- Apply the official patch or update provided by the Zephyr project to fix the vulnerability in the ext2 directory-entry parser.
- Implement additional validation checks for directory entry structures in ext2 filesystems before mounting or processing them.
- Ensure that only trusted sources provide ext2 images for mounting or processing in Zephyr-based systems.
- Monitor system logs for signs of exploitation attempts or anomalous behavior related to filesystem operations.
- Consider using safer filesystem formats or additional security mechanisms like filesystem encryption and access controls to mitigate potential impacts.
Evidence notes
The CVE-2026-10645 details are based on information from the CVE.org record and the National Vulnerability Database (NVD). The vulnerability was disclosed on June 23, 2026, with a CVSS score of 4.9. The Zephyr project's security advisory (GHSA-hwrh-9h3x-vccm) provides additional context on the vulnerability. The issue is classified under CWE-125, 'Out-of-bounds Read'.
Official resources
-
CVE-2026-10645 CVE record
CVE.org
-
CVE-2026-10645 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.