zephyrproject zephyr up to 4.4.x Supervisor Mode sockets_inet.c recvmsg out-of-bounds write

Summaryinfo

A vulnerability described as critical has been identified in zephyrproject zephyr up to 4.4.x. The affected element is the function recvmsg of the file subsys/net/lib/sockets/sockets_inet.c of the component Supervisor Mode. Executing a manipulation can lead to out-of-bounds write. This vulnerability is tracked as CVE-2026-10643. The attack is restricted to local execution. No exploit exists. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability has been found in zephyrproject zephyr up to 4.4.x and classified as critical. This vulnerability affects the function recvmsg of the file subsys/net/lib/sockets/sockets_inet.c of the component Supervisor Mode. The manipulation with an unknown input leads to a out-of-bounds write vulnerability. The CWE definition for the vulnerability is CWE-787. The product writes data past the end, or before the beginning, of the intended buffer. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.

The advisory is shared for download at github.com. This vulnerability was named CVE-2026-10643 since 06/02/2026. The exploitation appears to be easy. The attack needs to be approached locally. There are known technical details, but no exploit is available.

Upgrading to version 4.5.0 eliminates this vulnerability. Applying the patch 01fe77b2ec3885583f709a17c5203ce02bd77012 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-39967). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Project Management Software

Vendor

• zephyrproject

Name

• zephyr

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion