8.3
HIGH CVSS 3.1
CVE-2026-10673
Out-of-bounds write in ADIN2111/ADIN1110 OA SPI Ethernet RX frame reassembly
Description

The Zephyr ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver (drivers/ethernet/eth_adin2111.c) reassembles received Ethernet frames in OPEN Alliance (OA) SPI mode by copying device-supplied 64-byte data chunks into a fixed static buffer ctx->buf of size CONFIG_ETH_ADIN2111_BUFFER_SIZE (default 1524 bytes). In eth_adin2111_oa_data_read(), each valid chunk was memcpy'd into ctx->buf[ctx->scur] and the write cursor scur advanced, with no check that scur + len stayed within the buffer. The number of chunks (up to 255, from the BUFSTS RCA field) and the per-chunk length are taken entirely from the frame data received off the wire; the cursor is only reset on a start-of-frame chunk. An attacker on the single-pair Ethernet segment can therefore send a frame whose reassembled size exceeds the configured buffer, causing the driver's RX offload thread to write attacker-controlled frame bytes past the end of the static buffer into adjacent driver/kernel memory (up to roughly 14.8 KB in the worst case). This is a remotely/adjacently reachable out-of-bounds write (CWE-787) that can corrupt memory and cause denial of service or potentially code execution. The defect was introduced when OA SPI support was added (commit 0ca8b0756b1) and shipped in releases v3.7.0 through v4.4.0. The fix adds a bounds check that drops the oversized frame and resets the cursor before the copy.

INFO

Published Date :

July 15, 2026, 6:16 p.m.

Last Modified :

July 15, 2026, 8:15 p.m.

Remotely Exploit :

No
Affected Products

The following products are affected by CVE-2026-10673 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Zephyrproject zephyr
2 Zephyrproject zephyr
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 134c704f-9b21-4f2e-91b3-4a467353bcc0
CVSS 3.1 HIGH e2e69745-5e70-4e92-8431-deb5529a81ad
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH MITRE-CVE
Solution
Fix buffer overflow by checking frame size before copying data.
  • Apply the patch that adds bounds checking.
  • Update the driver to the fixed version.
  • Reset the cursor before copying data.
  • Drop oversized frames.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-10673 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-10673 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-10673 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2026-10673 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jul. 15, 2026

    Action Type Old Value New Value
    Added Reference https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hm6v-4jh4-3qc4
    Added SSVC {'id': 'CVE-2026-10673', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'poc'}, {'automatable': 'no'}, {'technicalImpact': 'partial'}], 'version': '2.0.3', 'timestamp': '2026-07-15T18:00:59.180581Z'}
  • New CVE Received by [email protected]

    Jul. 15, 2026

    Action Type Old Value New Value
    Added Affected [{'vendor': 'zephyrproject', 'product': 'zephyr', 'versions': [{'status': 'affected', 'version': '3.7.0', 'lessThan': '4.5.0', 'versionType': 'semver'}], 'packageName': 'zephyr', 'programFiles': ['drivers/ethernet/eth_adin2111.c', 'drivers/ethernet/eth_adin2111_priv.h'], 'collectionURL': 'https://github.com/zephyrproject-rtos/zephyr', 'defaultStatus': 'unaffected'}]
    Added Description The Zephyr ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver (drivers/ethernet/eth_adin2111.c) reassembles received Ethernet frames in OPEN Alliance (OA) SPI mode by copying device-supplied 64-byte data chunks into a fixed static buffer ctx->buf of size CONFIG_ETH_ADIN2111_BUFFER_SIZE (default 1524 bytes). In eth_adin2111_oa_data_read(), each valid chunk was memcpy'd into ctx->buf[ctx->scur] and the write cursor scur advanced, with no check that scur + len stayed within the buffer. The number of chunks (up to 255, from the BUFSTS RCA field) and the per-chunk length are taken entirely from the frame data received off the wire; the cursor is only reset on a start-of-frame chunk. An attacker on the single-pair Ethernet segment can therefore send a frame whose reassembled size exceeds the configured buffer, causing the driver's RX offload thread to write attacker-controlled frame bytes past the end of the static buffer into adjacent driver/kernel memory (up to roughly 14.8 KB in the worst case). This is a remotely/adjacently reachable out-of-bounds write (CWE-787) that can corrupt memory and cause denial of service or potentially code execution. The defect was introduced when OA SPI support was added (commit 0ca8b0756b1) and shipped in releases v3.7.0 through v4.4.0. The fix adds a bounds check that drops the oversized frame and resets the cursor before the copy.
    Added CVSS V3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
    Added CWE CWE-125
    Added CWE CWE-787
    Added Reference https://github.com/zephyrproject-rtos/zephyr/commit/158df8d088316cdae20816fc07703892280b2acb
    Added Reference https://github.com/zephyrproject-rtos/zephyr/commit/c98321cbfef23c0e3bdf043ccf6b421067c8d508
    Added Reference https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hm6v-4jh4-3qc4
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.