Description
Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules) allows Overflow Buffers.

This vulnerability is associated with program files Code/Nr/nr_fw/RA/src/NrPwrCtrl.C.



This issue affects Kestrel: before 2026/02/10.
Published: 2026-04-30
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in the nr_fw module of ASR Kestrel firmware, specifically within the Code/Nr/nr_fw/RA/src/NrPwrCtrl.C file. An out-of-bound read can allow an attacker to read memory beyond the intended buffer boundaries, potentially exposing sensitive data or internal device state. The weakness is classified as CWE‑125, a type of memory corruption that does not provide immediate code execution but can reveal confidential information.

Affected Systems

ASR Kestrel devices running firmware versions released before 10 February 2026 are affected. The issue is scoped to the Kestrel firmware’s nr_fw modules; no further sub‑version information is listed.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity vulnerability, yet the EPSS score is undefined and the vulnerability is not included in the CISA KEV catalog, implying no confirmed exploitation to date. The likely attack vector is external, with a remote actor sending crafted traffic that triggers the out-of-bound read, though the specific exploit path is inferred from standard practices for similar weaknesses.

Generated by OpenCVE AI on April 30, 2026 at 13:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest firmware revision released after 10 February 2026, which eliminates the vulnerable code path.
  • If a firmware upgrade is not immediately possible, restrict network access to the affected Kestrel devices by placing them behind a firewall that permits only trusted traffic, thereby reducing exposure to potential exploitation.
  • Monitor device logs for anomalous memory read activity or crashes and configure alerts for high‑severity events that may indicate an attempt to exploit the out‑of‑bound read.

Generated by OpenCVE AI on April 30, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Asrmicro asr1803
Asrmicro asr1803 Firmware
CPEs cpe:2.3:h:asrmicro:asr1803:-:*:*:*:*:*:*:*
cpe:2.3:o:asrmicro:asr1803_firmware:*:*:*:*:*:*:*:*
Vendors & Products Asrmicro asr1803
Asrmicro asr1803 Firmware

Fri, 01 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Asrmicro
Asrmicro kestrel
Vendors & Products Asrmicro
Asrmicro kestrel

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description Out-of-bounds read vulnerability in ASR Kestrel (nr_fw modules) allows Overflow Buffers. This vulnerability is associated with program files Code/Nr/nr_fw/RA/src/NrPwrCtrl.C. This issue affects Kestrel: before 2026/02/10.
Title Out-of-bounds read in ulp
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Asrmicro Asr1803 Asr1803 Firmware Kestrel
cve-icon MITRE

Status: PUBLISHED

Assigner: ASR

Published:

Updated: 2026-04-30T13:03:30.773Z

Reserved: 2026-04-30T07:55:02.475Z

Link: CVE-2026-42799

cve-icon Vulnrichment

Updated: 2026-04-30T13:03:27.385Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T09:16:03.473

Modified: 2026-05-05T02:53:31.087

Link: CVE-2026-42799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses