CVE-2026-26399

Vulnerability Description

A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption.

Vulnerability Details

Published Date

April 20, 2026

Last Modified

April 20, 2026

Source

NVD

External References

https://github.com/Acen28/CVE-2026-26399-Disclosure
https://github.com/stm32duino/Arduino_Core_STM32/releases/tag/1.6.1

CVE-2026-26399

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment