CVE-2026-10642

Source
https://cve.org/CVERecord?id=CVE-2026-10642
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10642.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10642
Aliases
  • GHSA-3fgh-73jh-2q5j
Published
2026-06-24T21:32:05.251Z
Modified
2026-07-16T03:30:51.903871228Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Unbounded TX busy-loop DoS in Zephyr PL011 UART driver under CTS hardware flow control
Details

The Zephyr PL011 UART driver (drivers/serial/uartpl011.c) contains an unbounded software loop in pl011irqtxenable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011IMSCTXIM) is set, to work around the controller's level-transition TX-interrupt behavior.

When CTS hardware flow control is enabled (devicetree hw-flow-control or runtime UARTCFGFLOWCTRLRTSCTS) and the wired serial peer de-asserts CTS, the controller stops draining the TX FIFO; pl011fifofill() then returns 0 on every call while the application still has pending data and therefore never disables the TX interrupt. The loop condition never clears, so the thread that called uartirqtxenable() (e.g. h4_send() in the Bluetooth HCI H4 driver) spins indefinitely, hanging the executing context and stalling the transport — a denial of service (CWE-835).

An attacker controlling the device attached to the UART's CTS line can trigger the hang by withholding CTS during transmission. Because that peer is the device wired to the UART — which may be a removable or external module (e.g. an off-board Bluetooth controller on the HCI H4 link) rather than a permanently-bonded on-PCB part — the attack vector is scored Adjacent (AV:A) rather than Physical; the security subcommittee should confirm the vector against the specific deployment. Impact is availability only; there is no memory-safety, confidentiality, or integrity consequence.

The vulnerable loop was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

Database specific
{
    "cwe_ids": [
        "CWE-835"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10642.json",
    "cna_assigner": "zephyr",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "4.1.0"
                },
                {
                    "fixed": "4.5.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ]
}
References

Affected packages

Git / github.com/zephyrproject-rtos/zephyr

Affected ranges

Type
GIT
Repo
https://github.com/zephyrproject-rtos/zephyr
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "v4.1.0"
        },
        {
            "fixed": "v4.4.0"
        }
    ],
    "source": "DESCRIPTION"
}

Affected versions

v4.*
v4.1.0
v4.2.0
v4.2.0-rc1
v4.2.0-rc2
v4.2.0-rc3
v4.3.0
v4.3.0-rc1
v4.3.0-rc2
v4.3.0-rc3
v4.4.0-rc1
v4.4.0-rc2
v4.4.0-rc3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10642.json"