{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/zephyr-rtos-v4.0.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-10672"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zephyr RTOS (v3.0.0)","Zephyr RTOS (v3.1.0)","Zephyr RTOS (v3.2.0)","Zephyr RTOS (v3.3.0)","Zephyr RTOS (v3.4.0)","Zephyr RTOS (v3.5.0)","Zephyr RTOS (v4.0.0)","Zephyr RTOS (v4.1.0)","Zephyr RTOS (v4.2.0)","Zephyr RTOS (v4.3.0)","Zephyr RTOS (v4.4.0)"],"_cs_severities":["high"],"_cs_tags":["out-of-bounds-read","data-exfiltration","firmware","rtos","iot","embedded"],"_cs_type":"advisory","_cs_vendors":["Zephyr Project"],"content_html":"\u003cp\u003eA public Proof of Concept (PoC) has been released for \u003cstrong\u003eCVE-2026-10672\u003c/strong\u003e, an out-of-bounds read vulnerability impacting the LwM2M firmware-update pull client within Zephyr RTOS. Specifically, the flaw exists in the \u003ccode\u003elwm2m_pull_context_start_transfer()\u003c/code\u003e function in \u003ccode\u003esubsys/net/lib/lwm2m/lwm2m_pull_context.c\u003c/code\u003e. Affected versions include Zephyr v3.0.0 through v4.4.0. An attacker can exploit this by supplying an oversized Package URI (128 bytes or more) during a firmware update over CoAP, causing the system to read past an allocated 128-byte buffer. This leads to the exfiltration of up to 13 bytes of sensitive data from adjacent memory locations within the \u003ccode\u003efirmware_pull_context\u003c/code\u003e struct, such as \u003ccode\u003eis_firmware_uri\u003c/code\u003e flags or function pointers, which are then included in outbound CoAP requests. The public availability of this PoC significantly increases the risk for unpatched embedded and IoT devices utilizing the vulnerable Zephyr RTOS component.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes network access to a vulnerable Zephyr RTOS device running the LwM2M pull client, potentially as a malicious LwM2M management server or an on-path adversary.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a CoAP PUT request to the LwM2M Package URI resource (\u003ccode\u003e/5/0/1\u003c/code\u003e) on the vulnerable device.\u003c/li\u003e\n\u003cli\u003eThe PUT request includes a crafted, oversized Package URI payload (≥ 128 bytes), which is not NUL-terminated by the server.\u003c/li\u003e\n\u003cli\u003eThe attacker then sends a CoAP POST request to the LwM2M Execute Update resource (\u003ccode\u003e/5/0/2\u003c/code\u003e), triggering the firmware update process on the client.\u003c/li\u003e\n\u003cli\u003eDuring the update process, the \u003ccode\u003elwm2m_pull_context_start_transfer()\u003c/code\u003e function in \u003ccode\u003elwm2m_pull_context.c\u003c/code\u003e performs a \u003ccode\u003ememcpy\u003c/code\u003e of the oversized URI into \u003ccode\u003econtext.uri\u003c/code\u003e (a 128-byte buffer) without NUL-termination.\u003c/li\u003e\n\u003cli\u003eSubsequent operations, such as \u003ccode\u003estrlen(context.uri)\u003c/code\u003e, \u003ccode\u003ehttp_parser_parse_url()\u003c/code\u003e, and appending the CoAP \u003ccode\u003ePROXY_URI\u003c/code\u003e option, attempt to read beyond the \u003ccode\u003econtext.uri\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds read accesses adjacent memory locations, such as \u003ccode\u003eis_firmware_uri\u003c/code\u003e, struct padding, and \u003ccode\u003eresult_cb\u003c/code\u003e/\u003ccode\u003ewrite_cb\u003c/code\u003e function pointers.\u003c/li\u003e\n\u003cli\u003eThe over-read bytes, including the sensitive data, are then exfiltrated within the outbound CoAP request sent by the vulnerable Zephyr device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-10672 leads to the leakage of sensitive data from the memory of vulnerable Zephyr RTOS devices. While the exploit demonstrates the exfiltration of 13 bytes, this information could include critical configuration flags, memory addresses of function pointers, or other internal state, which might be leveraged in subsequent attacks to bypass Address Space Layout Randomization (ASLR), gain code execution, or further compromise the device. Given that Zephyr RTOS is commonly used in IoT and embedded systems, successful attacks could expose proprietary device configurations, compromise device integrity, or facilitate deeper access to constrained environments where these devices operate.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-10672\u003c/strong\u003e immediately by upgrading Zephyr RTOS to version v4.4.1 or v4.3.1 or newer.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual CoAP traffic patterns, specifically inbound CoAP PUT requests to \u003ccode\u003e/5/0/1\u003c/code\u003e or POST requests to \u003ccode\u003e/5/0/2\u003c/code\u003e with unusually large URI payloads, or outbound CoAP requests containing \u003ccode\u003ePROXY_URI\u003c/code\u003e options with unusual lengths (e.g., \u0026gt;128 bytes), as indicated by the exploit for \u003cstrong\u003eCVE-2026-10672\u003c/strong\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong network segmentation for IoT and embedded devices to limit exposure to untrusted networks, particularly for devices running Zephyr RTOS, to prevent attackers from sending crafted CoAP requests.\u003c/li\u003e\n\u003cli\u003eEnsure proper authentication and encryption (DTLS) are enforced for LwM2M server communication, as detailed in the source's \u003ccode\u003elwm2m_evil_server.py\u003c/code\u003e script.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T10:02:01Z","date_published":"2026-07-18T10:02:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-zephyr-lwm2m-oob-read-poc/","summary":"A public Proof of Concept (PoC) is available for CVE-2026-10672, an out-of-bounds read vulnerability in the LwM2M firmware update component of Zephyr RTOS versions 3.0.0 through 4.4.0, allowing an attacker to exfiltrate up to 13 bytes of sensitive data from adjacent memory via crafted CoAP requests, significantly elevating risk for unpatched IoT and embedded systems.","title":"Public Exploit for Zephyr RTOS LwM2M Out-of-Bounds Read (CVE-2026-10672)","url":"https://feed.craftedsignal.io/briefs/2026-07-zephyr-lwm2m-oob-read-poc/"}],"language":"en","title":"CraftedSignal Threat Feed - Zephyr RTOS (V4.0.0)","version":"https://jsonfeed.org/version/1.1"}