zephyrproject zephyr up to 4.4.x getaddrinfo.c getaddrinfo ai_arr[] use after free

Summaryinfo

A vulnerability classified as critical was found in zephyrproject zephyr up to 4.4.x. This affects the function getaddrinfo of the file subsys/net/lib/sockets/getaddrinfo.c. The manipulation of the argument ai_arr[] results in use after free. This vulnerability is cataloged as CVE-2026-10646. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in zephyrproject zephyr up to 4.4.x. It has been classified as critical. Affected is the function getaddrinfo of the file subsys/net/lib/sockets/getaddrinfo.c. The manipulation of the argument ai_arr[] with an unknown input leads to a use after free vulnerability. CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberately set slightly longer than the resolver's own per-query timeout. When that semaphore wait nonetheless times out (-EAGAIN) - which can occur when the resolver's timeout work is delayed by workqueue contention, or in the documented multi-retry configuration where CONFIG_NET_SOCKETS_DNS_TIMEOUT exceeds CONFIG_NET_SOCKETS_DNS_BACKOFF_INTERVAL - the pre-fix code retries the query (goto again) without cancelling the previous one and without resetting the semaphore. The previous query slot remains active in the resolver with its callback and the stack pointer as user_data, and ai_state-dns_id is overwritten so the stale query can no longer be cancelled. A subsequent DNS response delivered over UDP and matched by its 16-bit transaction id (in dispatcher_cb()/dns_read()), or the resolver's own delayed query-timeout work, then invokes dns_resolve_cb() against the now out-of-scope stack frame, writing through the stale pointer (state-status, state-idx, state-ai_arr[], and k_sem_give()). Because the triggering response is network-delivered and its 16-bit id is spoofable/replayable by an on- or off-path attacker, this is a network-influenceable use-after-return that can corrupt reused stack memory, leading to crashes/denial of service or memory corruption. The fix cancels the timed-out query by name and type before retrying and resets the local semaphore, eliminating the stale callback path. Affected: Zephyr v4.0.0 through v4.4.0.

The advisory is available at github.com. This vulnerability is traded as CVE-2026-10646 since 06/02/2026. The exploitability is told to be difficult. It is possible to launch the attack remotely. Technical details are known, but there is no available exploit.

Upgrading to version 4.5.0 eliminates this vulnerability. Applying the patch cd27da58eedb8d0fe380dd340b81ca5afa35de45 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Type

• Project Management Software

Vendor

• zephyrproject

Name

• zephyr

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion