CVE-2026-10669

Source
https://cve.org/CVERecord?id=CVE-2026-10669
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10669.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10669
Aliases
  • GHSA-4r4p-gh69-v6w4
Published
2026-07-14T15:02:02.932Z
Modified
2026-07-15T02:17:13.049723818Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Xtensa MPU `arch_buffer_validate()` integer-overflow lets a user thread bypass syscall pointer validation
Details

On Xtensa SoCs built with CONFIGXTENSAMPU and CONFIGUSERSPACE, archbuffervalidate() in arch/xtensa/core/mpu.c — the architecture hook that verifies a user-mode-supplied buffer is accessible to the calling user thread with the requested permission — defaulted its return value to 0 (access permitted) and only set a denial result inside its per-MPU-region probe loop. When the rounded extent of the buffer wraps the 32-bit address space (size + alignment offset near SIZEMAX, or ROUND_UP(size + offset) overflowing to 0), the loop executes zero iterations and the function returns 0 = permitted without probing any MPU region.

The syscall-layer pre-checks (KSYSCALLMEMORYSIZECHECK / ZDETECTPOINTEROVERFLOW) only catch a raw addr+size wrap and do not cover the ROUNDUP-induced wrap, and the string path (archuserstringnlen -> archbuffer_validate) has no syscall-layer guard at all.

An unprivileged user-mode thread can therefore pass a crafted (addr, size) to any syscall that validates user buffers via kusermodefromcopy/tocopy or kusermodestring_copy and have validation succeed for memory it must not access; the kernel then reads from (disclosure) or, with write=1, writes to (corruption) attacker-chosen kernel or other-partition memory on the thread's behalf, enabling information disclosure, memory corruption, privilege escalation, and denial of service.

Affected from v3.7.0 (when Xtensa MPU userspace support was added) through v4.4.0. The fix changes the default to -EINVAL (deny by default), adds an explicit sizeaddoverflow check, and sets the success value only after the full range has been validated.

Database specific
{
    "cna_assigner": "zephyr",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10669.json",
    "cwe_ids": [
        "CWE-787"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "3.7.0"
                },
                {
                    "fixed": "4.5.0"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/zephyrproject-rtos/zephyr

Affected ranges

Type
GIT
Repo
https://github.com/zephyrproject-rtos/zephyr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "DESCRIPTION",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "v4.4.0"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.1.0
v1.1.0-rc1
v1.10.0
v1.10.0-rc1
v1.10.0-rc2
v1.10.0-rc3
v1.11.0
v1.11.0-rc1
v1.11.0-rc2
v1.11.0-rc3
v1.12.0
v1.12.0-rc1
v1.12.0-rc2
v1.12.0-rc3
v1.13.0
v1.13.0-rc1
v1.13.0-rc2
v1.13.0-rc3
v1.14.0
v1.14.0-rc1
v1.14.0-rc2
v1.14.0-rc3
v1.2.0
v1.2.0-rc1
v1.2.0-rc2
v1.3.0
v1.3.0-rc1
v1.3.0-rc2
v1.4.0
v1.4.0-rc1
v1.4.0-rc2
v1.4.0-rc3
v1.5.0
v1.5.0-rc0
v1.5.0-rc1
v1.5.0-rc2
v1.5.0-rc3
v1.5.0-rc4
v1.6.99
v1.7.99
v1.8.99
v1.9.0
v1.9.0-rc1
v1.9.0-rc2
v1.9.0-rc3
v1.9.0-rc4
v2.*
v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.1.0
v2.1.0-rc1
v2.1.0-rc2
v2.1.0-rc3
v2.2.0
v2.2.0-rc1
v2.2.0-rc2
v2.2.0-rc3
v2.3.0
v2.3.0-rc1
v2.3.0-rc2
v2.4.0
v2.4.0-rc1
v2.4.0-rc2
v2.4.0-rc3
v2.5.0
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v2.7.0-rc1
v2.7.0-rc2
v2.7.0-rc3
v2.7.99
v3.*
v3.0.0
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.1.0
v3.1.0-rc1
v3.1.0-rc2
v3.1.0-rc3
v3.2.0
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.3.0
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.4.0
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.5.0
v3.5.0-rc1
v3.5.0-rc2
v3.5.0-rc3
v3.6.0
v3.6.0-rc1
v3.6.0-rc2
v3.6.0-rc3
v3.7.0
v3.7.0-rc1
v3.7.0-rc2
v3.7.0-rc3
v4.*
v4.0.0
v4.0.0-rc1
v4.0.0-rc2
v4.0.0-rc3
v4.1.0
v4.1.0-rc1
v4.1.0-rc2
v4.1.0-rc3
v4.2.0
v4.2.0-rc1
v4.2.0-rc2
v4.2.0-rc3
v4.3.0
v4.3.0-rc1
v4.3.0-rc2
v4.3.0-rc3
v4.4.0-rc1
v4.4.0-rc2
v4.4.0-rc3
zephyr-v1.*
zephyr-v1.0.0
zephyr-v1.1.0
zephyr-v1.10.0
zephyr-v1.11.0
zephyr-v1.12.0
zephyr-v1.13.0
zephyr-v1.14.0
zephyr-v1.2.0
zephyr-v1.3.0
zephyr-v1.4.0
zephyr-v1.5.0
zephyr-v1.9.0
zephyr-v2.*
zephyr-v2.0.0
zephyr-v2.1.0
zephyr-v2.2.0
zephyr-v2.3.0
zephyr-v2.4.0
zephyr-v2.5.0
zephyr-v2.6.0
zephyr-v3.*
zephyr-v3.0.0
zephyr-v3.1.0
zephyr-v3.2.0
zephyr-v3.3.0
zephyr-v3.4.0
zephyr-v3.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10669.json"