PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10642 zephyrproject CVE debrief

The Zephyr PL011 UART driver contains an unbounded software loop in pl011_irq_tx_enable() that can cause a denial of service. The vulnerability was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. An attacker controlling the device attached to the UART's CTS line can trigger the hang. The impact is availability only, with no memory-safety, confidentiality, or integrity consequences. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

Vendor
zephyrproject
Product
zephyr
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-24
Original CVE updated
2026-07-02
Advisory published
2026-06-24
Advisory updated
2026-07-02

Who should care

Organizations using Zephyr versions v4.1.0 through v4.4.0 should be aware of this vulnerability and take steps to mitigate it. Specifically, those using the PL011 UART driver with CTS hardware flow control enabled are at risk. The vulnerability can be triggered by an attacker controlling the device attached to the UART's CTS line.

Technical summary

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set. When CTS hardware flow control is enabled and the wired serial peer de-asserts CTS, the controller stops draining the TX FIFO, causing the loop to spin indefinitely. The loop condition never clears, hanging the executing context and stalling the transport. The vulnerability was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0.

Defensive priority

High priority should be given to applying the fix, as the vulnerability can be triggered by an attacker controlling the device attached to the UART's CTS line, leading to a denial of service.

Recommended defensive actions

  • Apply the fix from commit 68e702294b711eadfe7b4fadedd46d7c87fe8f3d or later.
  • Upgrade to Zephyr version v4.5.0 or later.
  • Disable CTS hardware flow control if not required.
  • Monitor for unusual activity on the UART's CTS line.
  • Implement additional logging and monitoring to detect potential attacks.

Evidence notes

The vulnerability was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts. The impact is availability only, with no memory-safety, confidentiality, or integrity consequences.

Official resources

This article was generated with AI assistance based on the supplied source corpus.