Directory Traversal Vulnerability in Zephyr's ext2 Directory-Entry Parser
CVE-2026-10645

4.9MEDIUM

Key Information:

Vendor: Zephyrproject-rtos
Status: Zephyr
Vendor: CVE Published:; 22 June 2026

🔔 Create Zephyrproject-rtos Vulnerability Alert

What is CVE-2026-10645?

The ext2 directory-entry parser in Zephyr fails to properly validate the structure of on-disk directory entries, potentially leading to unvalidated memory copies. This vulnerability is triggered during directory traversal operations, such as pathname lookups or file manipulations, and can result in denial of service incidents or out-of-bounds reads. Attackers can exploit this issue by mounting specially crafted ext2 images from untrusted media, causing either excessive resource consumption or corrupting memory with invalid data.

Affected Version(s)

Zephyr * <= 4.4

References

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10645 Data

JSON