In Zephyr's WireGuard subsystem (subsys/net/lib/wireguard), wgprocessdatamessage() in wgcrypto.c linearizes an inbound transport-data payload into a fixed pool buffer of CONFIGWIREGUARDBUFLEN bytes before decryption. The call netbuflinearize(buf->data, datalen, pkt->buffer, ..., datalen) passed the attacker-derived datalen as both the destination capacity and the copy length, defeating the function's internal len = min(len, dstlen) bound. datalen is derived from the received UDP datagram length and is only lower-bounded by wgctrlrecv() (no upper bound). When datalen exceeds CONFIGWIREGUARDBUFLEN — e.g. when the buffer length is lowered below the link MTU, on links with MTU above the buffer size, or via reassembled IPv4/IPv6 fragments that exceed it — the underlying memcpy writes past the end of the pool buffer, an out-of-bounds write (CWE-787). The overflow occurs before the Poly1305 authentication check, so it requires only a valid receiver session index rather than a valid authenticator, and is reachable by a malicious or compromised peer (or an on-path attacker driving an established session) over the network, yielding remote memory corruption and at minimum a reliable denial of service. The defect was present in the WireGuard implementation shipped in Zephyr 4.4.0. The fix adds an explicit datalen > CONFIGWIREGUARDBUFLEN rejection and corrects the linearize call to pass netbufmax_len(buf) as the destination capacity.
{
"cna_assigner": "zephyr",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10665.json",
"cwe_ids": [
"CWE-787"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.5.0"
}
]
}
]
}"2026-07-15T15:33:07Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10665.json"
[
{
"target": {
"file": "subsys/net/lib/wireguard/wg_crypto.c"
},
"deprecated": false,
"source": "https://github.com/zephyrproject-rtos/zephyr/commit/6d8bb28dc9064e05e52b5a00b2998ecc663e38cb",
"digest": {
"threshold": 0.9,
"line_hashes": [
"305370482156741404443576472402295948273",
"250070395374217992365571996374620476213",
"95265452955038653220678214904768397510",
"39498010945792803531248819235949840749",
"224788421543690008434568398379329240711",
"147015312276524563224817125768066700824",
"320083930059315659334449515305974461134"
]
},
"id": "CVE-2026-10665-7dbf1a3f",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"file": "subsys/net/lib/wireguard/wg_crypto.c",
"function": "wg_process_data_message"
},
"deprecated": false,
"source": "https://github.com/zephyrproject-rtos/zephyr/commit/6d8bb28dc9064e05e52b5a00b2998ecc663e38cb",
"digest": {
"function_hash": "272444193580968995731835784050175753552",
"length": 4737.0
},
"id": "CVE-2026-10665-9b4616e2",
"signature_type": "Function",
"signature_version": "v1"
}
]