{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0849", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-01-11T06:32:24.529Z", "datePublished": "2026-03-14T21:05:36.954Z", "dateUpdated": "2026-03-17T15:05:37.922Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Zephyr", "product": "Zephyr", "repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThanOrEqual": "4.3", "status": "affected", "version": "*", "versionType": "git"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "crypto: ATAES132A response length allows stack buffer overflow"}], "value": "Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "description": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-14T21:05:36.954Z"}, "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}], "source": {"discovery": "UNKNOWN"}, "title": "crypto: ATAES132A response length allows stack buffer overflow", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T15:04:55.949281Z", "id": "CVE-2026-0849", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:05:37.922Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0849", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T15:04:55.949281Z"}}}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:05:26.565Z"}}], "cna": {"title": "crypto: ATAES132A response length allows stack buffer overflow", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "product": "Zephyr", "versions": [{"status": "affected", "version": "*", "versionType": "git", "lessThanOrEqual": "4.3"}], "packageName": "Zephyr", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.", "supportingMedia": [{"type": "text/html", "value": "crypto: ATAES132A response length allows stack buffer overflow", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-03-14T21:05:36.954Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0849", "state": "PUBLISHED", "dateUpdated": "2026-03-17T15:05:37.922Z", "dateReserved": "2026-01-11T06:32:24.529Z", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "datePublished": "2026-03-14T21:05:36.954Z", "assignerShortName": "zephyr"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "EA3FCE94-ECC0-421B-B359-8AC2F4FF9589", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "A9F6045A-6985-43A5-A0C3-19CF4E3D0ACF", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "F46D01CA-AD60-4A2F-91E0-44BDD4C6EDDA", "vulnerable": true}, {"criteria": "cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "0A85B354-1551-4500-8775-CEFEE279579D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution."}, {"lang": "es", "value": "Respuestas ATAES132A malformadas con un campo de longitud sobredimensionado desbordan un b\u00fafer de pila de 52 bytes en el controlador criptogr\u00e1fico de Zephyr, permitiendo a un dispositivo comprometido o a un atacante del bus corromper la memoria del kernel y potencialmente secuestrar la ejecuci\u00f3n."}], "id": "CVE-2026-0849", "lastModified": "2026-04-02T14:26:59.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 3.4, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T14:18:07.270", "references": [{"source": "vulnerabilities@zephyrproject.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zephyr", "source": "cna", "vendor": "zephyrproject-rtos"}, "product": "zephyr", "vendor": "zephyrproject-rtos"}], "analysis": {"en": {"generated_at": "2026-04-02T15:27:16.650504+00:00", "value": {"mitigation_remediation": ["Apply the security patch released by Zephyr for versions 4.3.0 and rc1\u2011rc3", "Upgrade to the latest Zephyr release that includes the ATAES132A buffer overflow fix", "Verify that the target device firmware is up to date and that the patched driver is loaded", "Restrict bus access to trusted devices only, ensuring that no untrusted peripherals can send malformed responses"], "summary": {"action": "Apply Patch", "impact": "Kernel memory corruption leading to execution hijack"}, "threat_synthesis": {"affected_systems": "Affected products include Zephyr RTOS version 4.3.0 and its release candidate builds rc1 through rc3 from the zephyrproject\u2011rtos vendor.", "description_and_impact": "The vulnerability resides in the Zephyr ATAES132A crypto driver. Malformed responses with an oversized length field overflow a 52\u2011byte stack buffer, enabling a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution. This is a classic stack buffer overflow (CWE\u2011120).", "risk_and_exploitability": "The CVSS score of 3.8 indicates a moderate risk, and the EPSS score indicates less than a 1% chance that an exploit is actively used. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to have a compromised device or bus level access to send a malicious response, so the attack vector is local/internal to the device. Given the low probability of exploitation and moderate impact, it remains prudent to patch promptly."}}}}, "created": "2026-03-16T09:22:20.822616+00:00", "updated": "2026-04-02T20:23:47.217278+00:00", "vendors": ["zephyrproject-rtos", "zephyrproject-rtos$PRODUCT$zephyr"]}