CVE-2026-0849 — Classic Buffer Overflow in Zephyr

CWE-120 — Classic Buffer Overflow3 documents3 sources

Severity

6.8MEDIUMNVD

CNA3.8

EPSS

0.0%

top 94.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zephyrproject-rtos Zephyr Zephyrproject Zephyr

Timeline

Latest updateMar 14

PublishedMar 16

Description

Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5zephyrproject-rtos/zephyr* — 4.3

▶NVDzephyrproject/zephyr4.3.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

crypto: ATAES132A response length allows stack buffer overflow↗2026-03-14

▶

🕵️Threat Intelligence

Wiz

CVE-2026-0849 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶