Monday 13 July 2026, 05:03 PM
Unpacking CVE-2026-10665: Pre-auth memory corruption in Zephyr RTOS WireGuard
CVE-2026-10665 is a critical pre-auth out-of-bounds write in Zephyr RTOS 4.4 WireGuard, allowing remote memory corruption and DoS in IoT devices.
Growing pains at the edge: Zephyr meets WireGuard
We all love a good feature drop, and when Zephyr RTOS 4.4.0 rolled out on April 14, 2026, it brought something the embedded world had been eagerly waiting for: a native WireGuard VPN subsystem. Bringing modern, lean cryptography to resource-constrained IoT devices is exactly the kind of leap forward we need to secure the edge. It opens up a massive playground for developers building the next generation of connected devices.
But as anyone who has ever pushed code to production knows, moving fast and breaking things takes on a whole new meaning when you're dealing with over 10 million deployed hardware endpoints.
On July 12, 2026, the ecosystem got a bit of a reality check with the disclosure of CVE-2026-10665, a critical out-of-bounds write vulnerability in this shiny new WireGuard implementation. Rather than looking at this as a setback, I see it as a fascinating look into how open-source ecosystems mature, and a massive opportunity for us to rethink how we handle embedded device lifecycles.
Peeking under the hood of a pre-auth bypass
The magic of WireGuard has always been its stealth. Its core security promise is that it silently drops unauthenticated packets—if you don't have the right cryptographic keys, the device doesn't even acknowledge you exist. It’s brilliant for preventing unauthorized scanning.
However, CVE-2026-10665 manages to slip past the bouncer before IDs are even checked.
The flaw lives inside the wg_process_data_message() function. When an attacker sends a UDP datagram, the length of that attacker-controlled data is passed to net_buf_linearize without a proper upper-bound check. This effectively neutralizes Zephyr's internal safety mechanisms. The underlying memcpy operation just keeps writing past the fixed pool buffer, causing memory corruption.
Crucially, this all happens before the Poly1305 cryptographic authentication check kicks in. For headless IoT devices, this translates to a zero-click remote attack vulnerability requiring nothing more than a valid receiver session index. It’s a reliable path to Denial of Service (DoS) and, if weaponized correctly, Remote Code Execution (RCE).
The silver lining for IoT infrastructure
A CVSS 7.4 vulnerability that allows zero-click memory corruption on headless devices sounds like a nightmare, but let’s look at the broader picture. This is exactly the kind of catalyst the hardware industry needs to modernize.
For years, we’ve talked about the importance of Over-The-Air (OTA) updates. If you are a founder building in the IoT space right now, CVE-2026-10665 is your ultimate proof of concept for why seamless, automated OTA infrastructure isn't just a "nice-to-have" feature—it is the entire ballgame. Hardware manufacturers are currently having to halt firmware flashing to integrate patches, which highlights a massive market opportunity for startups building better embedded CI/CD pipelines and deployment tools.
When a vulnerability like this drops, the companies that can push a fleet-wide update in minutes are the ones that will win the market. It pushes the whole industry toward better operational hygiene.
An ecosystem leveling up in real time
What I find incredibly encouraging is how the Zephyr Project’s PSIRT handled this. They moved with the kind of agility you usually only see in hyper-growth startups.
They coordinated a patch (commit 6d8bb28dc906) right alongside the public disclosure, ensuring there was no zero-day exploitation window. The fix elegantly introduces an explicit rejection for oversized data lengths and corrects the destination capacity parameter.
Even more interestingly, the disclosure of CVE-2026-10665 coincided with a few other high-severity network stack vulnerabilities in Zephyr 4.4, namely CVE-2026-10666 and CVE-2026-10667. Far from being a bad sign, this cluster of disclosures tells me something highly positive: the OS’s network stack is undergoing a rigorous, coordinated security audit. Security vendors are already rolling out automated scans, and the community is actively fuzzing the network stack to shake out the bugs.
We are pushing the boundaries of what tiny, edge-computing devices can do. Bringing WireGuard to Zephyr was an ambitious, necessary step for secure communication. A few memory corruption bugs along the way aren't roadblocks; they are just the necessary stress tests we have to pass to build a wildly secure, interconnected future.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-10665
- https://secably.com/cve/CVE-2026-10665/
- https://echelongraph.io/pulse/CVE-2026-10665
- https://www.youtube.com/watch?v=KoMIB980bpU
- https://www.zephyrproject.org/zephyr-rtos-4-4-now-available-wireguard-wi-fi-direct-openrisc-and-more/
- https://www.zephyrproject.org/
- https://docs.zephyrproject.org/latest/security/vulnerabilities.html
- https://dbugs.ptsecurity.com/vulnerability/PT-2026-57567
- https://www.hackerstorm.com/search-insights/search-cves-nvd
- https://cve.threatint.eu/
- https://en.wikipedia.org/wiki/Zephyr_(operating_system)
- https://www.tenable.com/cve
- https://app.opencve.io/cve/?product=call_of_duty%5C&vendor=activision
- https://www.threat.live/cve/?lang=en
- https://cve.enginsight.com/