Zephyr RTOS
CVE-2026-10643
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Local unprivileged userspace thread (AV:L/PR:L/AC:L) corrupts kernel heap across the privilege boundary (S:C); fixed partly-controlled write yields high integrity/availability impact and low confidentiality.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.
AnalysisAI
Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspace thread corrupt kernel-heap memory on builds with CONFIG_USERSPACE enabled. Affecting versions v3.6.0 through v4.4.0, the flaw is triggered when an application calls recvmsg() with an undersized ancillary (control) buffer on a UDP/IP socket that has IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled and a datagram arrives, overwriting up to one cmsg header (~12 bytes) past the buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the Zephyr build to be compiled with CONFIG_USERSPACE for the kernel-heap (cross-boundary) impact; in supervisor mode only the caller's own buffer is corrupted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H, base 8.7) is internally consistent with the description: exploitation requires a local, low-privileged userspace thread (not remote network exploitation of the corruption itself), low complexity, and a scope change because a userspace thread corrupts kernel-heap memory across the privilege boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Zephyr build with CONFIG_USERSPACE, an unprivileged application thread opens a UDP socket, enables IP_PKTINFO, and calls recvmsg() with a control buffer sized in the 16-27 byte window; when a datagram arrives, insert_pktinfo() writes an aligned cmsg header plus payload past the end of the kernel-heap copy, corrupting adjacent kernel heap data. By controlling allocation layout and the source/destination of received packets (the destination IP lands in part of the overwritten bytes), the attacker aims to escalate the heap corruption toward privilege escalation across the userspace/kernel boundary. … |
| Remediation | Upstream fix available (commit 01fe77b2ec3885583f709a17c5203ce02bd77012); a tagged/released patched version is not independently confirmed from the provided data, so update to the first release that incorporates this commit on your branch (or backport it directly) via https://github.com/zephyrproject-rtos/zephyr/commit/01fe77b2ec3885583f709a17c5203ce02bd77012. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit infrastructure to identify all systems running Zephyr RTOS versions 3.6.0-4.4.0 with CONFIG_USERSPACE enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacen
CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, all
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not chec
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of s
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. Rated high severity
Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve
Out-of-bounds write in Zephyr RTOS Bluetooth host stack allows an adjacent unauthenticated BLE peer to corrupt heap memo
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the netw
Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet re
Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() i
Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memor
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today