CVE-2026-10659 Overview
CVE-2026-10659 is a NULL pointer dereference vulnerability [CWE-476] in the Zephyr real-time operating system. The flaw exists in the Dhara flash translation layer (FTL) disk driver located at drivers/disk/ftl_dhara.c. The driver's dhara_nand_* callbacks write error codes unconditionally through a caller-supplied dhara_error_t *err pointer. When the upstream Dhara library invokes these callbacks with err == NULL during journal resume, a flash error triggers a write to a NULL address, faulting the kernel. The vulnerability was introduced in Zephyr v4.4.0 when the driver was added.
Critical Impact
A local attacker who can influence NAND media content or induce flash errors on checkpoint pages can cause a kernel fault during FTL mount, resulting in denial of service.
Affected Products
- Zephyr RTOS v4.4.0 (the release that introduced the ftl_dhara driver)
- Devices mounting a Dhara FTL disk on NAND flash storage
- Embedded systems relying on disk_ftl_access_init() at boot
Discovery Timeline
- 2026-07-07 - CVE-2026-10659 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-10659
Vulnerability Analysis
The Dhara FTL driver implements NAND callbacks including dhara_nand_read, dhara_nand_erase, dhara_nand_prog, and dhara_nand_copy. Each callback writes error codes directly through the supplied dhara_error_t *err pointer, for example *err = DHARA_E_ECC on read failures. The upstream Dhara library expects callbacks to tolerate a NULL error pointer and provides the dhara_set_error() helper for that purpose. The Zephyr implementation bypassed this helper and dereferenced the pointer unconditionally.
Root Cause
The root cause is unsafe pointer usage in error-reporting code paths. During journal resume, find_last_checkblock() calls find_checkblock(j, mid, &found, NULL), forwarding a NULL error pointer into dhara_nand_read(). If the probed checkpoint page returns an uncorrectable ECC error, bad block, or controller error, the driver executes *err = DHARA_E_ECC on a NULL pointer and faults the kernel.
Attack Vector
Exploitation requires local access and the ability to influence NAND medium state. Triggers include natural media wear, induced fault injection, or a corrupted or crafted on-flash image mounted through disk_ftl_access_init() and dhara_map_resume(). The condition is triggered at mount or initialization time.
ret = flash_erase(ctx->info.dev, block_addr, ctx->block_size);
if (ret != 0) {
LOG_ERR("erasing block at 0x%08lx failed with error %d", (long)block_addr, ret);
- *err = DHARA_E_BAD_BLOCK;
+ dhara_set_error(err, DHARA_E_BAD_BLOCK);
return -1;
}
Source: Zephyr commit a8371b0d4719. The patch routes all error assignments through the NULL-safe dhara_set_error() helper.
Detection Methods for CVE-2026-10659
Indicators of Compromise
- Unexpected kernel faults or panics logged during boot when mounting an FTL-backed disk
- Repeated LOG_ERR entries from ftl_dhara.c referencing ECC, bad block, or flash controller errors immediately preceding a crash
- Devices entering reset loops after firmware updates that populate or modify NAND checkpoint pages
Detection Strategies
- Audit deployed Zephyr firmware images and verify the base version against v4.4.0 and the presence of the drivers/disk/ftl_dhara.c driver
- Inspect NAND health telemetry for rising uncorrectable ECC counts on devices using Dhara FTL
- Correlate crash-dump signatures with faults on write instructions inside dhara_nand_read, dhara_nand_erase, dhara_nand_prog, or dhara_nand_copy
Monitoring Recommendations
- Track boot-time success rates and mount failures for FTL disks across the device fleet
- Alert on repeated device resets that coincide with FTL initialization log messages
- Monitor supply-chain and firmware artifacts for tampered on-flash images intended for FTL-backed devices
How to Mitigate CVE-2026-10659
Immediate Actions Required
- Apply the upstream fix from Zephyr commit a8371b0d4719efe37a66e2abb618ad9b81792212 to all builds derived from v4.4.0
- Rebuild and redeploy firmware for any device that mounts a Dhara FTL disk
- Validate NAND integrity on affected devices and replace media showing elevated ECC error rates
Patch Information
The fix routes every error assignment in ftl_dhara.c through the library helper dhara_set_error(), which safely returns without dereferencing when err == NULL. Details are available in the GitHub Security Advisory GHSA-q28v-3729-f82g and the upstream patch commit.
Workarounds
- Disable the Dhara FTL disk driver in Kconfig where the feature is not required
- Restrict physical and local logical access to devices that mount FTL-backed NAND storage
- Validate on-flash images with integrity checks before mounting to reduce the chance of triggering the fault on crafted content
# Kconfig example: disable the Dhara FTL disk driver if not required
CONFIG_DISK_DRIVER_FLASH=n
CONFIG_FLASH_MAP=n
# Rebuild firmware after applying the upstream patch:
# git cherry-pick a8371b0d4719efe37a66e2abb618ad9b81792212
west build -b <board> <app> --pristine
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

