{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0849", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-01-11T06:32:24.529Z", "datePublished": "2026-03-14T21:05:36.954Z", "dateUpdated": "2026-03-17T15:05:37.922Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Zephyr", "product": "Zephyr", "repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThanOrEqual": "4.3", "status": "affected", "version": "*", "versionType": "git"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "crypto: ATAES132A response length allows stack buffer overflow"}], "value": "Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-14T21:05:36.954Z"}, "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}], "source": {"discovery": "UNKNOWN"}, "title": "crypto: ATAES132A response length allows stack buffer overflow", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T15:04:55.949281Z", "id": "CVE-2026-0849", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:05:37.922Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0849", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T15:04:55.949281Z"}}}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:05:26.565Z"}}], "cna": {"title": "crypto: ATAES132A response length allows stack buffer overflow", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "product": "Zephyr", "versions": [{"status": "affected", "version": "*", "versionType": "git", "lessThanOrEqual": "4.3"}], "packageName": "Zephyr", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.", "supportingMedia": [{"type": "text/html", "value": "crypto: ATAES132A response length allows stack buffer overflow", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-14T21:05:36.954Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0849", "state": "PUBLISHED", "dateUpdated": "2026-03-17T15:05:37.922Z", "dateReserved": "2026-01-11T06:32:24.529Z", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "datePublished": "2026-03-14T21:05:36.954Z", "assignerShortName": "zephyr"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "EA3FCE94-ECC0-421B-B359-8AC2F4FF9589", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "A9F6045A-6985-43A5-A0C3-19CF4E3D0ACF", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "F46D01CA-AD60-4A2F-91E0-44BDD4C6EDDA", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "0A85B354-1551-4500-8775-CEFEE279579D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution."}, {"lang": "es", "value": "Respuestas ATAES132A malformadas con un campo de longitud sobredimensionado desbordan un b\u00fafer de pila de 52 bytes en el controlador criptogr\u00e1fico de Zephyr, permitiendo a un dispositivo comprometido o a un atacante del bus corromper la memoria del kernel y potencialmente secuestrar la ejecuci\u00f3n."}], "id": "CVE-2026-0849", "lastModified": "2026-04-02T14:26:59.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 3.4, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T14:18:07.270", "references": [{"source": "vulnerabilities@zephyrproject.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zephyr", "source": "cna", "vendor": "zephyrproject-rtos"}, "product": "zephyr", "vendor": "zephyrproject-rtos"}], "analysis": {"en": {"generated_at": "2026-03-17T16:53:28.345045+00:00", "value": {"mitigation_remediation": ["Check for and apply the latest Zephyr release that contains the patched ATAES132A driver; the GitHub advisory linked provides update information.", "If the device is not immediately upgradable, isolate or disable the ATAES132A module on any untrusted or peripheral devices to eliminate the extension point.\n", "Implement strict physical bus access controls and monitor for unauthorized ATAES132A traffic.\n", "Verify that no legacy or custom cryptographic configurations reference the vulnerable driver.\n", "Consider running integrity checks on kernel memory or employing canary pages to detect buffer overflows early."], "summary": {"action": "Patch", "impact": "Stack buffer overflow capable of corrupting kernel memory and potentially hijacking execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the Zephyr RTOS crypto subsystem. No specific product or firmware versions are supplied in the vendor data; the advisory notes the issue exists for any build of Zephyr that incorporates the affected ATAES132A driver. Users should verify whether their current Zephyr release includes the patched driver as the CNAs did not list affected releases.", "description_and_impact": "A malformed response from an ATAES132A cryptographic module supplies an overly large length field that overflows a 52\u2011byte stack buffer inside Zephyr's crypto driver. This overflow can corrupt adjacent kernel memory, creating an opportunity for an attacker to alter control flow and possibly execute arbitrary code. The weakness is identified as CWE\u2011120, a classic stack-based buffer overflow that compromises the integrity of the kernel.", "risk_and_exploitability": "The CVSS score is 3.8, indicating low impact when evaluated in isolation, and the EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a compromised device or a malicious bus attacker able to inject a crafted ATAES132A response; therefore the attack vector is a physical or local adversary with bus access. While the exploit difficulty is moderate, any successful compromise results in kernel memory corruption and can elevate privileges or alter device operation."}}}}, "created": "2026-03-16T09:22:20.822616+00:00", "updated": "2026-03-23T13:39:06.149470+00:00", "vendors": ["zephyrproject-rtos", "zephyrproject-rtos$PRODUCT$zephyr"]}