CVE-2026-26399

MEDIUM

Arduino_Core_STM32 <1.7.0 - Use After Free

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-26399. PoCs published by Acen28.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-26399, a stack-based use-after-return vulnerability in legacy versions of Arduino_Core_STM32. It includes root cause analysis, affected components, and impact assessment.

Description

A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle registry. After the function returns, interrupt service routines may dereference this dangling pointer, resulting in memory corruption.

Exploits (1)

nomisec WRITEUP 1 stars
by Acen28 · poc
https://github.com/Acen28/CVE-2026-26399-Disclosure

This repository provides a detailed technical analysis of CVE-2026-26399, a stack-based use-after-return vulnerability in legacy versions of Arduino_Core_STM32. It includes root cause analysis, affected components, and impact assessment.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target: Arduino_Core_STM32 (v0.1.0 through v1.6.1)
No auth needed
Prerequisites: Legacy versions of Arduino_Core_STM32 · Specific conditions for stack reuse and interrupt timing
devstral-2 · analyzed May 03, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.0018
EPSS Percentile 7.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-562
Status published
Published Apr 20, 2026
Tracked Since Apr 20, 2026