Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10644

CVE-2026-10644: Microchip SERCOM UART Buffer Overflow

CVE-2026-10644 is a buffer overflow flaw in the Microchip SERCOM-G1 UART driver for PIC32CM-JH SoCs. An out-of-bounds write in the async DMA receive path can cause memory corruption. This article covers technical details, impact, and fixes.

Published:

CVE-2026-10644 Overview

CVE-2026-10644 is an out-of-bounds write vulnerability in the Zephyr RTOS Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c) used by the PIC32CM-JH SoC family. The flaw resides in the asynchronous DMA receive path and is triggered when uart_rx_enable() is called with a one-byte receive buffer while CONFIG_UART_MCHP_ASYNC is enabled. The peripheral-triggered DMA start sequencing writes one byte past the end of the caller-supplied buffer, corrupting adjacent memory ([CWE-787]). The defect shipped in Zephyr v4.4.0.

Critical Impact

An adjacent attacker on the connected serial link can trigger a single-byte memory write immediately after the RX buffer, causing memory corruption and possible denial of service.

Affected Products

  • Zephyr RTOS v4.4.0 (Microchip SERCOM-G1 UART driver)
  • Microchip PIC32CM-JH SoC family boards using CONFIG_UART_MCHP_ASYNC
  • Consumers invoking uart_rx_enable() with a one-byte receive buffer

Discovery Timeline

  • 2026-06-28 - CVE-2026-10644 published to NVD
  • 2026-06-29 - Last updated in NVD database

Technical Details for CVE-2026-10644

Vulnerability Analysis

The vulnerability exists in the asynchronous UART receive path of the SERCOM-G1 driver. When uart_rx_enable() is invoked with len == 1, the RX-complete interrupt service routine (ISR) starts a single-beat DMA transfer while a byte is already pending in the SERCOM DATA register. On the PIC32CM-JH SoC, the peripheral-triggered DMA start sequencing writes one byte past the end of the one-byte caller-supplied buffer. The overflowed byte's value is the UART RX data supplied by the connected serial peer. Its size and location are fixed at one byte immediately after the buffer, limiting the corruption to a single adjacent byte.

Root Cause

The root cause is incorrect handling of the pending byte already latched in the SERCOM DATA register at the time the DMA engine is armed. The driver arms a DMA transfer of length equal to the requested buffer size without accounting for the byte already available in hardware. For a one-byte buffer, this causes the DMA controller to write both the pending byte and the next incoming byte, producing a one-byte overflow ([CWE-787]).

Attack Vector

Exploitation requires adjacent network access, specifically an attacker connected to the UART serial peer, and a target build with CONFIG_UART_MCHP_ASYNC enabled. This configuration is not enabled by default on the in-tree PIC32CM-JH boards. The consumer application must also call uart_rx_enable() with a one-byte receive buffer. The attacker controls only the value of the overflowed byte through bytes transmitted on the serial line. The size and offset of the corruption are fixed by the vulnerable code path.

No verified exploit code is publicly available. See the Zephyr Security Advisory GHSA-xv2x-56j7-6wc3 for full technical details.

Detection Methods for CVE-2026-10644

Indicators of Compromise

  • Unexpected crashes, faults, or reboots on PIC32CM-JH devices shortly after receiving UART traffic
  • Corruption of memory contents immediately adjacent to buffers passed to uart_rx_enable()
  • Presence of CONFIG_UART_MCHP_ASYNC=y in the firmware build configuration combined with calls to uart_rx_enable() with len == 1

Detection Strategies

  • Audit firmware source for calls to uart_rx_enable() and verify buffer length arguments
  • Grep build artifacts and .config files for CONFIG_UART_MCHP_ASYNC enablement on affected SoC targets
  • Confirm the Zephyr version in use; builds based on v4.4.0 without the fix commit 5251d2bc are vulnerable

Monitoring Recommendations

  • Enable Zephyr fault handling and log unexpected exceptions or memory faults on affected devices
  • Instrument the RX path in test builds to log received lengths and buffer addresses during validation
  • Track upstream Zephyr security advisories for the SERCOM-G1 driver and downstream vendor SDK updates

How to Mitigate CVE-2026-10644

Immediate Actions Required

  • Update the Zephyr tree to include commit 5251d2bc, which corrects the DMA sizing in the SERCOM-G1 UART driver
  • Rebuild and reflash firmware for PIC32CM-JH devices that enable CONFIG_UART_MCHP_ASYNC
  • Review consumer code to avoid one-byte receive buffers where practical

Patch Information

The fix, published in Zephyr commit 5251d2bc, reads the first byte with the CPU from the SERCOM DATA register. For a one-byte buffer the driver performs no DMA at all. For larger buffers the driver sizes the DMA transfer for the remaining len - 1 bytes, eliminating the off-by-one overflow. Full details are in the Zephyr Security Advisory.

Workarounds

  • Disable CONFIG_UART_MCHP_ASYNC on PIC32CM-JH targets until the patch can be applied
  • Ensure application code never invokes uart_rx_enable() with len == 1 on the affected driver
  • Restrict physical or logical access to UART interfaces exposed to untrusted peers
bash
# Configuration example: disable async UART on affected targets
# In prj.conf for PIC32CM-JH builds
CONFIG_UART_MCHP_ASYNC=n

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.