Skip to main content

Zephyr RTOS CVE-2026-10643

HIGH
Out-of-bounds Write (CWE-787)
2026-06-27 zephyr
8.7
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
8.7 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
vuln.today AI
8.7 HIGH

Local unprivileged userspace thread (AV:L/PR:L/AC:L) corrupts kernel heap across the privilege boundary (S:C); fixed partly-controlled write yields high integrity/availability impact and low confidentiality.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 27, 2026 - 23:50 vuln.today
Analysis Generated
Jun 27, 2026 - 23:50 vuln.today

DescriptionCVE.org

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.

AnalysisAI

Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspace thread corrupt kernel-heap memory on builds with CONFIG_USERSPACE enabled. Affecting versions v3.6.0 through v4.4.0, the flaw is triggered when an application calls recvmsg() with an undersized ancillary (control) buffer on a UDP/IP socket that has IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled and a datagram arrives, overwriting up to one cmsg header (~12 bytes) past the buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Run as unprivileged userspace thread
Delivery
Enable IP_PKTINFO on UDP socket
Exploit
Call recvmsg() with undersized control buffer
Execution
Inbound datagram triggers OOB cmsg write
Persist
Corrupt adjacent kernel heap
Impact
Escalate toward kernel privilege

Vulnerability AssessmentAI

Exploitation Requires the Zephyr build to be compiled with CONFIG_USERSPACE for the kernel-heap (cross-boundary) impact; in supervisor mode only the caller's own buffer is corrupted. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H, base 8.7) is internally consistent with the description: exploitation requires a local, low-privileged userspace thread (not remote network exploitation of the corruption itself), low complexity, and a scope change because a userspace thread corrupts kernel-heap memory across the privilege boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Zephyr build with CONFIG_USERSPACE, an unprivileged application thread opens a UDP socket, enables IP_PKTINFO, and calls recvmsg() with a control buffer sized in the 16-27 byte window; when a datagram arrives, insert_pktinfo() writes an aligned cmsg header plus payload past the end of the kernel-heap copy, corrupting adjacent kernel heap data. By controlling allocation layout and the source/destination of received packets (the destination IP lands in part of the overwritten bytes), the attacker aims to escalate the heap corruption toward privilege escalation across the userspace/kernel boundary. …
Remediation Upstream fix available (commit 01fe77b2ec3885583f709a17c5203ce02bd77012); a tagged/released patched version is not independently confirmed from the provided data, so update to the first release that incorporates this commit on your branch (or backport it directly) via https://github.com/zephyrproject-rtos/zephyr/commit/01fe77b2ec3885583f709a17c5203ce02bd77012. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit infrastructure to identify all systems running Zephyr RTOS versions 3.6.0-4.4.0 with CONFIG_USERSPACE enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2026-7656 HIGH POC
8.1 Jun 29

Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacen

CVE-2025-2962 HIGH POC
7.5 Jun 24

CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, all

CVE-2025-1675 HIGH
8.2 Feb 25

The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not chec

CVE-2025-1673 HIGH
8.2 Feb 25

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of s

CVE-2025-1674 HIGH
8.2 Feb 25

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. Rated high severity

CVE-2026-8023 HIGH
7.5 Jun 29

Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve

CVE-2026-5068 HIGH
7.6 Jun 09

Out-of-bounds write in Zephyr RTOS Bluetooth host stack allows an adjacent unauthenticated BLE peer to corrupt heap memo

CVE-2026-10638 HIGH
7.5 Jun 16

Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the netw

CVE-2026-13351 HIGH
7.5 Jun 25

Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet re

CVE-2026-10646 HIGH
7.4 Jun 28

Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() i

CVE-2026-1679 HIGH
7.3 Mar 28

Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memor

Share

CVE-2026-10643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy