{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26399", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T19:53:16.622Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T17:04:17.309Z"}, "descriptions": [{"lang": "en", "value": "A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/stm32duino/Arduino_Core_STM32/releases/tag/1.6.1"}, {"url": "https://github.com/Acen28/CVE-2026-26399-Disclosure"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-562", "lang": "en", "description": "CWE-562 Return of Stack Variable Address"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:48:51.466507Z", "id": "CVE-2026-26399", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T19:53:16.622Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26399", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:48:51.466507Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-562", "description": "CWE-562 Return of Stack Variable Address"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:50:07.094Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/stm32duino/Arduino_Core_STM32/releases/tag/1.6.1"}, {"url": "https://github.com/Acen28/CVE-2026-26399-Disclosure"}], "descriptions": [{"lang": "en", "value": "A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T17:04:17.309Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26399", "state": "PUBLISHED", "dateUpdated": "2026-04-22T19:53:16.622Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption."}], "id": "CVE-2026-26399", "lastModified": "2026-04-22T21:16:39.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-20T18:16:25.040", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Acen28/CVE-2026-26399-Disclosure"}, {"source": "cve@mitre.org", "url": "https://github.com/stm32duino/Arduino_Core_STM32/releases/tag/1.6.1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-562"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.0)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "arduino_core_stm32", "vendor": "stm32duino"}], "analysis": {"en": {"generated_at": "2026-04-27T19:55:30.350025+00:00", "value": {"mitigation_remediation": ["Upgrade the Arduino_Core_STM32 library to version 1.7.0 or later, which removes the stack allocation and global pointer registration flaw.", "If an upgrade is not immediately possible, refrain from calling the pwm_start() function until the library is updated.", "Review the firmware to ensure that no interrupt service routines dereference unrelated global timer handles and replace any vulnerable calls with safer alternatives."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "Any STM32-based project that uses the Arduino_Core_STM32 library and calls the pwm_start() function in a library version earlier than 1.7.0 is affected. Devices with this library are at risk when PWM functionality is utilized.", "description_and_impact": "A stack-use-after-return vulnerability exists in the Arduino_Core_STM32 library before version 1.7.0. The pwm_start() function creates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where the pointer is stored in a global timer handle registry. When pwm_start() returns, the pointer remains registered globally and interrupt service routines may later dereference this dangling pointer, causing memory corruption. This flaw corresponds to CWE\u2011562 (Access of Uninitialized Variable), and can compromise data integrity by overwriting memory locations.", "risk_and_exploitability": "The EPSS score is reported as < 1% and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation. The CVSS score of 5.3 denotes moderate severity. The attack vector is inferred to involve triggering the pwm_start() function through user\u2011controlled input or firmware logic that activates PWM, after which interrupt handlers may use an invalid global timer handle. This inference is based on the described behavior of the library and the timing of the dangling pointer usage."}}}}, "created": "2026-04-20T18:45:14.230792+00:00", "updated": "2026-04-28T09:26:50.391921+00:00", "vendors": ["stm32duino", "stm32duino$PRODUCT$arduino_core_stm32"]}