CVE Catalog

CVE-2026-10643

HighCVSS 8.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile — higher than 2% of all known CVEs

Summary

In Zephyr's IP socket recvmsg() implementation (sockets_inet.c), the insert_pktinfo() function incorrectly validates the control buffer size, omitting the cmsg header size, leading to an out-of-bounds write. This affects versions from 3.6.0 to 4.4.0.

Risk Assessment

An attacker can exploit this vulnerability to write beyond the buffer bounds in kernel heap memory (in userspace mode) or in the caller's buffer (in supervisor mode), potentially causing system integrity compromise, crashes, or privilege escalation.

Recommendation

Immediately update Zephyr to a version containing the fix (above v4.4.0) or apply a patch that adds proper buffer size validation using the NET_CMSG_SPACE() macro.

Original NVD description (English source)

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS