CVE-2026-10643
Received Received - Intake

Buffer Overflow in Zephyr RTOS IP Socket recvmsg()

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: Zephyr Project

Description
Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-10643

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 3.6.0 (inc) to 4.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Zephyr's IP socket recvmsg() implementation, specifically in how it validates the user-supplied ancillary (msg_control) buffer. The validation only checked the payload length but omitted the size of the control message header (cmsg header). As a result, a control buffer with a length in a certain under-checked range can pass the validation but cause an out-of-bounds write of up to one cmsg header (~12 bytes) beyond the buffer's end.

Under CONFIG_USERSPACE, this overflow corrupts kernel heap memory and can be triggered by an unprivileged userspace thread. In supervisor mode, it corrupts the caller's buffer. The vulnerability is triggered when an application calls recvmsg() on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO enabled, providing an undersized control buffer and receiving a datagram.

The fix involves using NET_CMSG_SPACE(pktinfo_len) to properly check the buffer capacity, accounting for both the aligned header and data, and returning an error (-ENOMEM) if the buffer is too small.

Impact Analysis

This vulnerability can lead to a fixed-size out-of-bounds write that corrupts kernel heap memory or the caller's buffer, depending on the mode of operation.

Because the overflow can be triggered from an unprivileged userspace thread, it poses a security risk by potentially allowing memory corruption, which can lead to system instability, crashes, or exploitation to escalate privileges or execute arbitrary code.

Detection Guidance

This vulnerability occurs when an application calls recvmsg() on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO enabled, using an undersized control buffer, and a datagram is received. Detection involves monitoring for abnormal behavior or crashes related to recvmsg() calls with ancillary data buffers that are smaller than required.

Since the issue is related to the size of the ancillary buffer passed to recvmsg(), you can audit or instrument applications to check for recvmsg() calls with control buffer lengths in the vulnerable range (e.g., 16-27 bytes for IPv4 IP_PKTINFO on 64-bit targets).

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The vulnerability is fixed by ensuring that the recvmsg() implementation properly checks the ancillary buffer size using NET_CMSG_SPACE() to account for both the aligned cmsg header and payload.

Immediate mitigation steps include:

  • Update Zephyr RTOS to a version later than v4.4.0 where the fix is applied.
  • Audit and modify applications to avoid calling recvmsg() with undersized ancillary buffers.
  • Disable or restrict use of IP_PKTINFO/IPV6_RECVPKTINFO socket options if not needed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10643. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart