<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Zephyr RTOS (V4.2.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/zephyr-rtos-v4.2.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 18 Jul 2026 10:02:01 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/zephyr-rtos-v4.2.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Public Exploit for Zephyr RTOS LwM2M Out-of-Bounds Read (CVE-2026-10672)</title><link>https://feed.craftedsignal.io/briefs/2026-07-zephyr-lwm2m-oob-read-poc/</link><pubDate>Sat, 18 Jul 2026 10:02:01 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-zephyr-lwm2m-oob-read-poc/</guid><description>A public Proof of Concept (PoC) is available for CVE-2026-10672, an out-of-bounds read vulnerability in the LwM2M firmware update component of Zephyr RTOS versions 3.0.0 through 4.4.0, allowing an attacker to exfiltrate up to 13 bytes of sensitive data from adjacent memory via crafted CoAP requests, significantly elevating risk for unpatched IoT and embedded systems.</description><content:encoded><![CDATA[<p>A public Proof of Concept (PoC) has been released for <strong>CVE-2026-10672</strong>, an out-of-bounds read vulnerability impacting the LwM2M firmware-update pull client within Zephyr RTOS. Specifically, the flaw exists in the <code>lwm2m_pull_context_start_transfer()</code> function in <code>subsys/net/lib/lwm2m/lwm2m_pull_context.c</code>. Affected versions include Zephyr v3.0.0 through v4.4.0. An attacker can exploit this by supplying an oversized Package URI (128 bytes or more) during a firmware update over CoAP, causing the system to read past an allocated 128-byte buffer. This leads to the exfiltration of up to 13 bytes of sensitive data from adjacent memory locations within the <code>firmware_pull_context</code> struct, such as <code>is_firmware_uri</code> flags or function pointers, which are then included in outbound CoAP requests. The public availability of this PoC significantly increases the risk for unpatched embedded and IoT devices utilizing the vulnerable Zephyr RTOS component.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker establishes network access to a vulnerable Zephyr RTOS device running the LwM2M pull client, potentially as a malicious LwM2M management server or an on-path adversary.</li>
<li>The attacker sends a CoAP PUT request to the LwM2M Package URI resource (<code>/5/0/1</code>) on the vulnerable device.</li>
<li>The PUT request includes a crafted, oversized Package URI payload (≥ 128 bytes), which is not NUL-terminated by the server.</li>
<li>The attacker then sends a CoAP POST request to the LwM2M Execute Update resource (<code>/5/0/2</code>), triggering the firmware update process on the client.</li>
<li>During the update process, the <code>lwm2m_pull_context_start_transfer()</code> function in <code>lwm2m_pull_context.c</code> performs a <code>memcpy</code> of the oversized URI into <code>context.uri</code> (a 128-byte buffer) without NUL-termination.</li>
<li>Subsequent operations, such as <code>strlen(context.uri)</code>, <code>http_parser_parse_url()</code>, and appending the CoAP <code>PROXY_URI</code> option, attempt to read beyond the <code>context.uri</code> buffer.</li>
<li>This out-of-bounds read accesses adjacent memory locations, such as <code>is_firmware_uri</code>, struct padding, and <code>result_cb</code>/<code>write_cb</code> function pointers.</li>
<li>The over-read bytes, including the sensitive data, are then exfiltrated within the outbound CoAP request sent by the vulnerable Zephyr device.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-10672 leads to the leakage of sensitive data from the memory of vulnerable Zephyr RTOS devices. While the exploit demonstrates the exfiltration of 13 bytes, this information could include critical configuration flags, memory addresses of function pointers, or other internal state, which might be leveraged in subsequent attacks to bypass Address Space Layout Randomization (ASLR), gain code execution, or further compromise the device. Given that Zephyr RTOS is commonly used in IoT and embedded systems, successful attacks could expose proprietary device configurations, compromise device integrity, or facilitate deeper access to constrained environments where these devices operate.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-10672</strong> immediately by upgrading Zephyr RTOS to version v4.4.1 or v4.3.1 or newer.</li>
<li>Monitor network traffic for unusual CoAP traffic patterns, specifically inbound CoAP PUT requests to <code>/5/0/1</code> or POST requests to <code>/5/0/2</code> with unusually large URI payloads, or outbound CoAP requests containing <code>PROXY_URI</code> options with unusual lengths (e.g., &gt;128 bytes), as indicated by the exploit for <strong>CVE-2026-10672</strong>.</li>
<li>Implement strong network segmentation for IoT and embedded devices to limit exposure to untrusted networks, particularly for devices running Zephyr RTOS, to prevent attackers from sending crafted CoAP requests.</li>
<li>Ensure proper authentication and encryption (DTLS) are enforced for LwM2M server communication, as detailed in the source's <code>lwm2m_evil_server.py</code> script.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>out-of-bounds-read</category><category>data-exfiltration</category><category>firmware</category><category>rtos</category><category>iot</category><category>embedded</category></item></channel></rss>