Description
A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption.
Published: 2026-04-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

A stack-use-after-return vulnerability exists in the Arduino_Core_STM32 library before version 1.7.0. The pwm_start() function creates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where the pointer is stored in a global timer handle registry. When pwm_start() returns, the pointer remains registered globally and interrupt service routines may later dereference this dangling pointer, causing memory corruption. This flaw corresponds to CWE‑562 (Access of Uninitialized Variable), and can compromise data integrity by overwriting memory locations.

Affected Systems

Any STM32-based project that uses the Arduino_Core_STM32 library and calls the pwm_start() function in a library version earlier than 1.7.0 is affected. Devices with this library are at risk when PWM functionality is utilized.

Risk and Exploitability

The EPSS score is reported as < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. The CVSS score of 5.3 denotes moderate severity. The attack vector is inferred to involve triggering the pwm_start() function through user‑controlled input or firmware logic that activates PWM, after which interrupt handlers may use an invalid global timer handle. This inference is based on the described behavior of the library and the timing of the dangling pointer usage.

Generated by OpenCVE AI on April 27, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Arduino_Core_STM32 library to version 1.7.0 or later, which removes the stack allocation and global pointer registration flaw.
  • If an upgrade is not immediately possible, refrain from calling the pwm_start() function until the library is updated.
  • Review the firmware to ensure that no interrupt service routines dereference unrelated global timer handles and replace any vulnerable calls with safer alternatives.

Generated by OpenCVE AI on April 27, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Stm32duino
Stm32duino arduino Core Stm32
Vendors & Products Stm32duino
Stm32duino arduino Core Stm32

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Stack‑Use‑After‑Return in Arduino_Core_STM32 Causes Memory Corruption

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825

Wed, 22 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-562

Wed, 22 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title Stack‑Use‑After‑Return in Arduino_Core_STM32 Causes Memory Corruption

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Title Stack Use-After-Return in Arduino STM32 Core Library Causing Memory Corruption
Weaknesses CWE-416

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Title Stack Use-After-Return in Arduino STM32 Core Library Causing Memory Corruption
Weaknesses CWE-416

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption.
References

Subscriptions

Stm32duino Arduino Core Stm32
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-22T19:53:16.622Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26399

cve-icon Vulnrichment

Updated: 2026-04-21T19:50:07.094Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T18:16:25.040

Modified: 2026-04-22T21:16:39.350

Link: CVE-2026-26399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:26:50Z

Weaknesses