Low severity3.8NVD Advisory· Published Mar 16, 2026· Updated Apr 2, 2026

CVE-2026-0849

Description

Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

Affected products

Zephyrproject/Zephyr4 versions
cpe:2.3:o:zephyrproject:zephyr:4.3.0:-:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:zephyrproject:zephyr:4.3.0:-:*:*:*:*:*:*
- cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:zephyrproject:zephyr:4.3.0:rc3:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-ff4p-3ggg-prp6nvdExploitPatchVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.247
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000