CVE-2026-10643 in zephyr
Summary
by MITRE • 06/28/2026
Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/28/2026
The vulnerability described represents a critical heap buffer overflow in Zephyr's network stack implementation that arises from improper validation of ancillary data buffers during socket receive operations. This flaw exists in the recvmsg() function within the networking library subsystem, specifically in the insert_pktinfo() helper function that processes IP_PKTINFO control messages for both IPv4 and IPv6 protocols. The core issue stems from a miscalculated buffer size check that fails to account for the complete control message structure including the cmsg header, leading to a predictable out-of-bounds write condition.
The technical implementation flaw manifests when applications configure UDP/IP sockets with IP_PKTINFO or IPV6_RECVPKTINFO options enabled and subsequently call recvmsg() with a control buffer that is insufficiently sized. The validation logic only considers the payload length component of the control message structure, neglecting the mandatory cmsg header size that must be accounted for in the total buffer capacity calculation. On 64-bit targets, this creates a specific vulnerable window where buffers sized between 16-27 bytes can pass validation yet cause corruption of up to 12 bytes beyond the intended buffer boundary. This occurs because each control message element requires 28 bytes of total space on the target platform due to alignment requirements.
The operational impact of this vulnerability extends significantly across different execution contexts within Zephyr's security model. Under CONFIG_USERSPACE configuration, where kernel heap memory is managed through verifier mechanisms, the overflow corrupts kernel heap memory from unprivileged userspace threads, potentially enabling privilege escalation or system stability compromise. In supervisor mode operation, the corruption affects the caller's own buffer space, which can still lead to application crashes or data corruption in critical network processing paths. The vulnerability is particularly concerning because it allows attackers to influence specific bytes of the overwritten memory region - specifically the destination IP address field (ipi_addr) within the control message structure - making the exploitation potentially more predictable and impactful.
The exploitability characteristics align with common security frameworks, where this vulnerability maps to CWE-121 for buffer overflow conditions and CWE-787 for out-of-bounds write operations. The attack vector follows ATT&CK technique T1059.003 for command and control through network protocols, while the privilege escalation aspect relates to T1068 for local privilege escalation. The vulnerability affects a substantial range of Zephyr versions from v3.6.0 through v4.4.0, indicating this flaw has persisted across multiple major releases and likely impacts numerous embedded systems relying on Zephyr's networking capabilities. The fix implemented addresses the root cause by updating the buffer capacity validation to properly account for both header and data alignment requirements using NET_CMSG_SPACE() macro, ensuring that the total required space including aligned cmsg headers is properly validated before any memory operations occur.
The mitigation strategy involves updating all affected Zephyr versions to implementations that correctly calculate control buffer requirements, with the fix returning -ENOMEM when insufficient buffer space is detected rather than proceeding with potentially corrupting operations. This approach ensures proper error handling and prevents the heap corruption while maintaining the expected functionality of the socket receive operations. The vulnerability demonstrates how seemingly minor validation logic errors in low-level system components can create significant security implications in embedded operating systems where memory safety is paramount.