Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10659

CVE-2026-10659: Zephyrproject Zephyr DOS Vulnerability

CVE-2026-10659 is a denial of service flaw in Zephyrproject Zephyr's Dhara flash translation layer driver that causes kernel faults through NULL pointer dereference. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-10659 Overview

CVE-2026-10659 is a NULL pointer dereference vulnerability [CWE-476] in the Zephyr real-time operating system. The flaw exists in the Dhara flash translation layer (FTL) disk driver located at drivers/disk/ftl_dhara.c. The driver's dhara_nand_* callbacks write error codes unconditionally through a caller-supplied dhara_error_t *err pointer. When the upstream Dhara library invokes these callbacks with err == NULL during journal resume, a flash error triggers a write to a NULL address, faulting the kernel. The vulnerability was introduced in Zephyr v4.4.0 when the driver was added.

Critical Impact

A local attacker who can influence NAND media content or induce flash errors on checkpoint pages can cause a kernel fault during FTL mount, resulting in denial of service.

Affected Products

  • Zephyr RTOS v4.4.0 (the release that introduced the ftl_dhara driver)
  • Devices mounting a Dhara FTL disk on NAND flash storage
  • Embedded systems relying on disk_ftl_access_init() at boot

Discovery Timeline

  • 2026-07-07 - CVE-2026-10659 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-10659

Vulnerability Analysis

The Dhara FTL driver implements NAND callbacks including dhara_nand_read, dhara_nand_erase, dhara_nand_prog, and dhara_nand_copy. Each callback writes error codes directly through the supplied dhara_error_t *err pointer, for example *err = DHARA_E_ECC on read failures. The upstream Dhara library expects callbacks to tolerate a NULL error pointer and provides the dhara_set_error() helper for that purpose. The Zephyr implementation bypassed this helper and dereferenced the pointer unconditionally.

Root Cause

The root cause is unsafe pointer usage in error-reporting code paths. During journal resume, find_last_checkblock() calls find_checkblock(j, mid, &found, NULL), forwarding a NULL error pointer into dhara_nand_read(). If the probed checkpoint page returns an uncorrectable ECC error, bad block, or controller error, the driver executes *err = DHARA_E_ECC on a NULL pointer and faults the kernel.

Attack Vector

Exploitation requires local access and the ability to influence NAND medium state. Triggers include natural media wear, induced fault injection, or a corrupted or crafted on-flash image mounted through disk_ftl_access_init() and dhara_map_resume(). The condition is triggered at mount or initialization time.

c
 	ret = flash_erase(ctx->info.dev, block_addr, ctx->block_size);
 	if (ret != 0) {
 		LOG_ERR("erasing block at 0x%08lx failed with error %d", (long)block_addr, ret);
-		*err = DHARA_E_BAD_BLOCK;
+		dhara_set_error(err, DHARA_E_BAD_BLOCK);
 		return -1;
 	}

Source: Zephyr commit a8371b0d4719. The patch routes all error assignments through the NULL-safe dhara_set_error() helper.

Detection Methods for CVE-2026-10659

Indicators of Compromise

  • Unexpected kernel faults or panics logged during boot when mounting an FTL-backed disk
  • Repeated LOG_ERR entries from ftl_dhara.c referencing ECC, bad block, or flash controller errors immediately preceding a crash
  • Devices entering reset loops after firmware updates that populate or modify NAND checkpoint pages

Detection Strategies

  • Audit deployed Zephyr firmware images and verify the base version against v4.4.0 and the presence of the drivers/disk/ftl_dhara.c driver
  • Inspect NAND health telemetry for rising uncorrectable ECC counts on devices using Dhara FTL
  • Correlate crash-dump signatures with faults on write instructions inside dhara_nand_read, dhara_nand_erase, dhara_nand_prog, or dhara_nand_copy

Monitoring Recommendations

  • Track boot-time success rates and mount failures for FTL disks across the device fleet
  • Alert on repeated device resets that coincide with FTL initialization log messages
  • Monitor supply-chain and firmware artifacts for tampered on-flash images intended for FTL-backed devices

How to Mitigate CVE-2026-10659

Immediate Actions Required

  • Apply the upstream fix from Zephyr commit a8371b0d4719efe37a66e2abb618ad9b81792212 to all builds derived from v4.4.0
  • Rebuild and redeploy firmware for any device that mounts a Dhara FTL disk
  • Validate NAND integrity on affected devices and replace media showing elevated ECC error rates

Patch Information

The fix routes every error assignment in ftl_dhara.c through the library helper dhara_set_error(), which safely returns without dereferencing when err == NULL. Details are available in the GitHub Security Advisory GHSA-q28v-3729-f82g and the upstream patch commit.

Workarounds

  • Disable the Dhara FTL disk driver in Kconfig where the feature is not required
  • Restrict physical and local logical access to devices that mount FTL-backed NAND storage
  • Validate on-flash images with integrity checks before mounting to reduce the chance of triggering the fault on crafted content
bash
# Kconfig example: disable the Dhara FTL disk driver if not required
CONFIG_DISK_DRIVER_FLASH=n
CONFIG_FLASH_MAP=n
# Rebuild firmware after applying the upstream patch:
# git cherry-pick a8371b0d4719efe37a66e2abb618ad9b81792212
west build -b <board> <app> --pristine

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.