high advisory March 28, 2026

eswifi Socket Offload Driver Buffer Overflow Vulnerability (CVE-2026-1679)

CVE-2026-1679 describes a vulnerability in the eswifi socket offload driver where user-provided payloads are copied into a fixed buffer without proper size checking, leading to a buffer overflow and kernel memory corruption.

CVE-2026-1679 is a buffer overflow vulnerability affecting the eswifi socket offload driver. The vulnerability arises because the driver copies user-provided payloads into a fixed-size buffer without validating the input size. This can lead to an overflow of the eswifi->buf buffer, resulting in corruption of kernel memory (CWE-120). The Zephyr Project assigned a CVSS v3.1 score of 7.3 to this vulnerability. Exploitation requires local code execution to call the socket send API; it is not…

Detection coverage 2

Detect Suspicious Socket Send API Calls (eswifi)

high

Detects potential exploitation attempts of CVE-2026-1679 by monitoring for socket send API calls from unusual processes that may be attempting to trigger the buffer overflow in the eswifi driver.

sigma tactics: denial_of_service, privilege_escalation techniques: T1068 sources: process_creation, linux

Detect Kernel Memory Corruption (Hypothetical)

critical

This rule (hypothetical) aims to detect kernel memory corruption which could be a result of exploiting CVE-2026-1679. This requires a memory dump analysis capability from the host.

sigma tactics: denial_of_service, privilege_escalation techniques: T1068 sources: process_memory, linux

Detection queries are kept inside the platform. Get full rules →