CVE-2026-5066 in Zephyr
Summary
by MITRE • 06/05/2026
A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating it against the destination size. struct net_sockaddr is an opaque type, so an application can pass an addrlen larger than sizeof(struct net_sockaddr) (for example 128 bytes into a 24-byte stack buffer), causing the memcpy to read and write past the end of the address memory used by the TLS session cache. This out-of-bounds write can lead to a crash and denial of service, and potentially to arbitrary code execution.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability represents a critical out-of-bounds memory access flaw in the TLS socket implementation of a network subsystem, specifically within the tls_session_store() and tls_session_restore() functions located in subsys/net/lib/sockets/sockets_tls.c. The issue manifests when the TLS session cache functionality is enabled, creating a scenario where attacker-controlled data can overwrite memory beyond the intended buffer boundaries. The vulnerability stems from insufficient input validation where the system accepts a caller-supplied addrlen parameter without proper bounds checking against the fixed-size destination buffer, which is typically much smaller than the potentially large caller-provided value.
The technical execution of this vulnerability occurs through the manipulation of the net_sockaddr opaque type, which allows applications to specify arbitrary address lengths that exceed the actual size of the internal buffer structure. When an application passes an addrlen value of 128 bytes into a 24-byte stack buffer, the memcpy operation performs an out-of-bounds write that can corrupt adjacent memory locations including stack canaries, return addresses, or other critical data structures. This type of flaw falls under CWE-121, heap-based buffer overflow, and more specifically aligns with CWE-787, out-of-bounds write, as the memory corruption occurs beyond the bounds of the allocated buffer. The vulnerability can be exploited through the ATT&CK technique T1059.007, command and scripting interpreter, where an attacker could craft malicious TLS connection attempts to trigger the vulnerable code path.
The operational impact of this vulnerability extends beyond simple denial of service, as the out-of-bounds memory corruption can result in unpredictable behavior including system crashes, application termination, or in more severe cases, arbitrary code execution. The memory corruption affects the TLS session cache mechanism which is fundamental to maintaining secure network connections, making this a particularly dangerous flaw in network infrastructure components. The vulnerability affects systems that utilize the affected network socket library with TLS session caching enabled, potentially impacting web servers, database connections, and any application requiring secure socket communications. The exploitation risk is elevated because the vulnerability can be triggered through normal TLS connection establishment flows without requiring special privileges or complex attack vectors, making it a high-severity issue that requires immediate attention.
Mitigation strategies should focus on implementing proper input validation and bounds checking within the TLS session cache functions to ensure that caller-supplied address lengths never exceed the destination buffer capacity. The recommended solution involves adding explicit validation checks that compare the addrlen parameter against the sizeof(struct net_sockaddr) before any memory operations occur. Additionally, developers should consider implementing stack canary protections and address space layout randomization to reduce the exploitation potential of any remaining vulnerabilities. The fix should also include proper error handling when bounds violations are detected, returning appropriate error codes rather than allowing the system to proceed with corrupted memory operations. Organizations should also implement network monitoring to detect anomalous TLS connection patterns that might indicate exploitation attempts, while maintaining regular patch updates to address the underlying buffer overflow condition that enables this class of vulnerability.