CVE-2026-10659

Source
https://cve.org/CVERecord?id=CVE-2026-10659
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10659.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10659
Aliases
  • GHSA-q28v-3729-f82g
Published
2026-07-07T12:58:11.505Z
Modified
2026-07-15T07:34:32.528486Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
NULL pointer dereference in Zephyr Dhara FTL disk driver on flash read error during journal resume
Details

The Dhara flash translation layer disk driver (drivers/disk/ftldhara.c) implemented the dharanand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dharaerrort err pointer (e.g. *err = DHARAEECC in dharanandread, and similar in dharananderase/prog/copy). The upstream Dhara library calls these callbacks with err == NULL along its journal-resume binary search: findlastcheckblock() invokes findcheckblock(j, mid, &found, NULL), which forwards the NULL pointer into dharanandread(). This path runs during diskftlaccessinit() -> dharamapresume() whenever the FTL disk is mounted/initialised. If a flash read error (uncorrectable ECC, bad block, controller error) occurs on one of the probed checkpoint pages, the driver dereferences and writes to NULL, faulting the kernel (denial of service). The trigger is conditioned on the NAND medium content/health, which can be influenced by media wear, induced faults, or a corrupted/crafted on-flash image. The fix routes all error assignments through the library's NULL-safe dharaseterror() helper. Affects Zephyr v4.4.0, where the driver was introduced.

Database specific
{
    "cna_assigner": "zephyr",
    "cwe_ids": [
        "CWE-476"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "4.4.0"
                },
                {
                    "fixed": "4.5.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10659.json"
}
References

Affected packages

Git / github.com/zephyrproject-rtos/zephyr

Affected ranges

Type
GIT
Repo
https://github.com/zephyrproject-rtos/zephyr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.1.0-rc1
v1.10.0
v1.10.0-rc1
v1.10.0-rc2
v1.10.0-rc3
v1.11.0
v1.11.0-rc1
v1.11.0-rc2
v1.11.0-rc3
v1.12.0
v1.12.0-rc1
v1.12.0-rc2
v1.12.0-rc3
v1.13.0
v1.13.0-rc1
v1.13.0-rc2
v1.13.0-rc3
v1.14.0
v1.14.0-rc1
v1.14.0-rc2
v1.14.0-rc3
v1.2.0
v1.2.0-rc1
v1.2.0-rc2
v1.3.0
v1.3.0-rc1
v1.3.0-rc2
v1.4.0
v1.4.0-rc1
v1.4.0-rc2
v1.4.0-rc3
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.0-rc4
v1.6.99
v1.7.99
v1.8.99
v1.9.0
v1.9.0-rc1
v1.9.0-rc2
v1.9.0-rc3
v1.9.0-rc4
v2.*
v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.1.0
v2.1.0-rc1
v2.1.0-rc2
v2.1.0-rc3
v2.2.0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.3.0
v2.3.0-rc1
v2.3.0-rc2
v2.4.0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.5.0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.7.99
v3.*
v3.0.0
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.1.0
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.2.0
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.3.0
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.4.0
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.5.0
v3.5.0-rc1
v3.5.0-rc2
v3.5.0-rc3
v3.6.0
v3.6.0-rc1
v3.6.0-rc2
v3.6.0-rc3
v3.7.0
v3.7.0-rc1
v3.7.0-rc2
v3.7.0-rc3
v4.*
v4.0.0
v4.0.0-rc1
v4.0.0-rc2
v4.0.0-rc3
v4.1.0
v4.1.0-rc1
v4.1.0-rc2
v4.1.0-rc3
v4.2.0
v4.2.0-rc1
v4.2.0-rc2
v4.2.0-rc3
v4.3.0
v4.3.0-rc1
v4.3.0-rc2
v4.3.0-rc3
v4.4.0
v4.4.0-rc1
v4.4.0-rc2
v4.4.0-rc3
zephyr-v1.*
zephyr-v1.0.0
zephyr-v1.1.0
zephyr-v1.10.0
zephyr-v1.11.0
zephyr-v1.12.0
zephyr-v1.13.0
zephyr-v1.14.0
zephyr-v1.2.0
zephyr-v1.3.0
zephyr-v1.4.0
zephyr-v1.5.0
zephyr-v1.9.0
zephyr-v2.*
zephyr-v2.0.0
zephyr-v2.1.0
zephyr-v2.2.0
zephyr-v2.3.0
zephyr-v2.4.0
zephyr-v2.5.0
zephyr-v2.6.0
zephyr-v3.*
zephyr-v3.0.0
zephyr-v3.1.0
zephyr-v3.2.0
zephyr-v3.3.0
zephyr-v3.4.0
zephyr-v3.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10659.json"
vanir_signatures
[
    {
        "id": "CVE-2026-10659-33b33e2d",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a8371b0d4719efe37a66e2abb618ad9b81792212",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "291651456668538752735101111208431776706",
                "3888236229624628347395002599689247618",
                "8138488527185039473298263129114383364",
                "187709328796512985787468198340973956231",
                "160863834856675628226915308482110898174",
                "288157141572379132665602662432172507210",
                "33903998499409541441148917957296331920",
                "187709328796512985787468198340973956231",
                "222745099511265980652635918310577933598",
                "33870235508745988809413822855422065620",
                "229051453504200434189528518165675553778",
                "95348008149347923363644832814620977916",
                "219892454649792587453716393474001404171",
                "127823492324725622321561335082569335968",
                "131495992894222456774109689417979592900",
                "186879112893445407147074541435610935431",
                "291596232895834416744547212230167222160",
                "76594200025089633797744260997364394446",
                "63829731097900678274672326891397515641",
                "47628269934633935647422217277898032816",
                "1358960440943265797345613519788351923",
                "187709328796512985787468198340973956231"
            ]
        },
        "target": {
            "file": "drivers/disk/ftl_dhara.c"
        }
    },
    {
        "id": "CVE-2026-10659-53b14fc7",
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a8371b0d4719efe37a66e2abb618ad9b81792212",
        "deprecated": false,
        "digest": {
            "function_hash": "40380461249561500454875915157056697753",
            "length": 869.0
        },
        "target": {
            "function": "dhara_nand_copy",
            "file": "drivers/disk/ftl_dhara.c"
        }
    },
    {
        "id": "CVE-2026-10659-7f7d3f62",
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a8371b0d4719efe37a66e2abb618ad9b81792212",
        "deprecated": false,
        "digest": {
            "function_hash": "182353788976775799776663974462659571360",
            "length": 520.0
        },
        "target": {
            "function": "dhara_nand_erase",
            "file": "drivers/disk/ftl_dhara.c"
        }
    },
    {
        "id": "CVE-2026-10659-87fea9d9",
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a8371b0d4719efe37a66e2abb618ad9b81792212",
        "deprecated": false,
        "digest": {
            "function_hash": "41799661771669194142024202101495240034",
            "length": 615.0
        },
        "target": {
            "function": "dhara_nand_read",
            "file": "drivers/disk/ftl_dhara.c"
        }
    },
    {
        "id": "CVE-2026-10659-88333dbc",
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/zephyrproject-rtos/zephyr/commit/a8371b0d4719efe37a66e2abb618ad9b81792212",
        "deprecated": false,
        "digest": {
            "function_hash": "368273443691837535732591840921780240",
            "length": 546.0
        },
        "target": {
            "function": "dhara_nand_prog",
            "file": "drivers/disk/ftl_dhara.c"
        }
    }
]
vanir_signatures_modified
"2026-07-15T07:34:32Z"