CVE-2026-1679 - Vulnerability Details

- net: eswifi socket send payload length not bounded

Description

The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.

Published: 2026-03-27

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The eswifi socket offload driver in Zephyr copies user‑provided data into a fixed‑size buffer without verifying the payload length. When a payload larger than the buffer is sent, the driver writes past the end of the buffer and corrupts kernel memory. This is a classic buffer overflow (CWE‑120). Because the overwrite occurs within kernel context, a local attacker can gain unauthorized privileges, potentially leading to full kernel compromise.

Affected Systems

The flaw affects Zephyr RTOS, specifically the eswifi socket offload driver. The advisory does not list precise affected versions, so any build that includes the eswifi driver without the bounds check is vulnerable. Check the Zephyr code base or release notes for the patched version.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity, while the EPSS score of less than 1% suggests low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog, and a remote attacker cannot reach the driver directly. Exploitation requires local code that can invoke the socket send API, so the attack vector is local. If an attacker can run code on the device, they can trigger the overflow and potentially achieve kernel‑level execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zephyrproject-rtos

Zephyr

unaffected

Version	Status	Constraints
`*`	affected	≤ 4.3

Configuration 1 [-]

cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Zephyrproject-rtos

Zephyr

100%

Version	Status	Scheme	Platform
`[0,4.3]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Zephyr to the latest release that includes the fix for the eswifi buffer overflow.
If an update is not yet available, rebuild the Zephyr kernel with the bounds‑checking patch applied to the eswifi driver or disable the eswifi socket offload feature.
Restrict local access to the device by enforcing strict authentication and privilege separation, so that untrusted code cannot call the vulnerable socket API.
Verify the firmware by running static or dynamic analysis tools to ensure no remaining buffer overflows in the eswifi driver.

Generated by OpenCVE AI on April 1, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qx3g-5g22-fq5w

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zephyrproject Zephyrproject zephyr
CPEs		cpe:2.3:o:zephyrproject:zephyr::::::::
Vendors & Products		Zephyrproject Zephyrproject zephyr

Mon, 30 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zephyrproject-rtos Zephyrproject-rtos zephyr
Vendors & Products		Zephyrproject-rtos Zephyrproject-rtos zephyr

Sat, 28 Mar 2026 03:15:00 +0000

Type	Values Removed	Values Added
Description		The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.
Title		net: eswifi socket send payload length not bounded
Weaknesses		CWE-120
References		https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qx3g-5g22-fq5w
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H'}`

Subscriptions

Zephyrproject Zephyr

Zephyrproject-rtos Zephyr

MITRE

Status: PUBLISHED

Assigner: zephyr

Published: 2026-03-27T23:21:18.399Z

Updated: 2026-04-01T13:52:01.510Z

Reserved: 2026-01-30T05:53:41.457Z

Link: CVE-2026-1679

Vulnrichment

Updated: 2026-04-01T13:51:56.396Z

NVD

Status : Analyzed

Published: 2026-03-28T00:16:04.740

Modified: 2026-03-31T20:35:00.897

Link: CVE-2026-1679

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T07:55:11Z

Weaknesses

CWE-120

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object