Home / Vulnerability Intelligence / CVE-2026-26399

CVE-2026-26399 - Vulnerability Analysis

N/a

Last Updated: April 20, 2026

Arduino_Core_STM32 - Use After Free

Published: April 20, 2026Updated: April 20, 2026PoC Available

Overview

Arduino_Core_STM32 < 1.7.0 contains a use-after-return vulnerability caused by storing a stack-allocated TIM_HandleTypeDef pointer in a global timer handle registry, letting interrupt routines cause memory corruption, exploit requires interrupt triggering after function return.

Severity & Score

Severity: N/a

Impact

Interrupt routines can dereference dangling pointers causing memory corruption, potentially leading to system instability or code execution.

Mitigation

Update to version 1.7.0 or later.

References

https://github.com/Acen28/CVE-2026-26399-Disclosure
https://github.com/stm32duino/Arduino_Core_STM32/releases/tag/1.6.1

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-26399
Severity: N/a
Type: use_after_free
Status: unconfirmed

CVSS Metrics

N/A