PatchSiren cyber security CVE debrief
CVE-2026-10664 zephyrproject CVE debrief
The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() has an out-of-bounds write vulnerability. This occurs when the handler copies TWT flow entries from an nrf_wifi_umac_event_power_save_info event into a fixed-size array without validating the number of entries, leading to a potential buffer overflow. The vulnerability is triggered when the number of TWT flow entries exceeds the fixed-size array, causing the handler to write past the destination array and read past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET. Reaching the overflow requires the firmware to emit a malformed or out-of-range event. The trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected builds have CONFIG_NRF70_STA_MODE on releases through v4.4.0. Users should review their configurations and apply patches or updates as necessary.
- Vendor
- zephyrproject
- Product
- zephyr
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Users of Zephyr RTOS with CONFIG_NRF70_STA_MODE enabled, especially those with devices using the nRF70 co-processor firmware, should review their configurations and apply patches or updates as necessary. They should also monitor for unusual activity or errors related to the nRF70 Wi-Fi driver and consider implementing additional logging or monitoring to detect potential exploitation attempts.
Technical summary
The nRF70 Wi-Fi driver's power-save event handler nrf_wifi_event_proc_get_power_save_info() in drivers/wifi/nrf_wifi/src/wifi_mgmt.c has an out-of-bounds write vulnerability. The handler copies TWT (Target Wake Time) flow entries from an nrf_wifi_umac_event_power_save_info event into the fixed-size twt_flows[WIFI_MAX_TWT_FLOWS] (8-element) array of a caller-supplied struct wifi_ps_config. This occurs without validating num_twt_flows against WIFI_MAX_TWT_FLOWS or checking event_len. When num_twt_flows exceeds 8, the handler writes past the destination array, which is typically on the caller's stack, and reads twt_flow_info[i] past the event buffer. The event is delivered by the nRF70 co-processor firmware in response to a host-initiated power-save GET. Reaching the overflow requires the firmware to emit a malformed or out-of-range event. The trust boundary is host-to-trusted-coprocessor rather than a direct remote-AP write, with over-the-air influence on the flow count being indirect and bounded by the 3-bit TWT flow-id space. Affected builds have CONFIG_NRF70_STA_MODE on releases through v4.4.0.
Defensive priority
Medium priority due to the specific conditions required for exploitation and the limited attack surface.
Recommended defensive actions
- Apply the official patch or update to a version beyond v4.4.0.
- Review and validate the configuration of CONFIG_NRF70_STA_MODE.
- Monitor for unusual activity or errors related to the nRF70 Wi-Fi driver.
- Consider implementing additional logging or monitoring to detect potential exploitation attempts.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-12T17:16:24.317Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The information provided is based on the available data and may not be exhaustive. Users should verify the information with the official sources and perform additional due diligence to ensure the accuracy and completeness of the data.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T17:16:24.317Z and has not been modified since then. The NVD entry is currently Received.