CVE-2026-1679 PUBLISHED

net: eswifi socket send payload length not bounded

Assigner: zephyr
Reserved: 30.01.2026 Published: 27.03.2026 Updated: 27.03.2026

The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow eswifi->buf, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
CVSS Score: 7.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	zephyrproject-rtos
Product	Zephyr
Versions	Default: unaffected affected from * to 4.3 (incl.)

References

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qx3g-5g22-fq5w

Problem Types

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE