CVE-2026-10646
Received Received - Intake

Zephyr RTOS getaddrinfo Use-After-Return in DNS Resolver

Publication date: 2026-06-28

Last updated on: 2026-06-28

Assigner: Zephyr Project

Description
Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberately set slightly longer than the resolver's own per-query timeout. When that semaphore wait nonetheless times out (-EAGAIN) - which can occur when the resolver's timeout work is delayed by workqueue contention, or in the documented multi-retry configuration where CONFIG_NET_SOCKETS_DNS_TIMEOUT exceeds CONFIG_NET_SOCKETS_DNS_BACKOFF_INTERVAL - the pre-fix code retries the query (goto again) without cancelling the previous one and without resetting the semaphore. The previous query slot remains active in the resolver with its callback and the stack pointer as user_data, and ai_state-dns_id is overwritten so the stale query can no longer be cancelled. A subsequent DNS response delivered over UDP and matched by its 16-bit transaction id (in dispatcher_cb()/dns_read()), or the resolver's own delayed query-timeout work, then invokes dns_resolve_cb() against the now out-of-scope stack frame, writing through the stale pointer (state-status, state-idx, state-ai_arr[], and k_sem_give()). Because the triggering response is network-delivered and its 16-bit id is spoofable/replayable by an on- or off-path attacker, this is a network-influenceable use-after-return that can corrupt reused stack memory, leading to crashes/denial of service or memory corruption. The fix cancels the timed-out query by name and type before retrying and resets the local semaphore, eliminating the stale callback path. Affected: Zephyr v4.0.0 through v4.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-28
Last Modified
2026-06-28
Generated
2026-06-28
AI Q&A
2026-06-28
EPSS Evaluated
N/A
NVD
CVE-2026-10646
EUVD
EUVD-2026-39980

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr From 4.0.0 (inc) to 4.4.0 (inc)
zephyrproject zephyr 4.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10646 is a use-after-return vulnerability in Zephyr RTOS's BSD-sockets getaddrinfo() function. The issue happens when a DNS query times out and the code retries the query without cancelling the previous one or resetting the semaphore. This leaves a stale query active with a callback pointing to a stack-allocated state object that is no longer valid. When a DNS response arrives, it can trigger this stale callback, causing writes to invalid memory locations on the stack.

Because the DNS response's 16-bit transaction ID can be spoofed or replayed by an attacker, this vulnerability can be exploited remotely by an on- or off-path attacker to corrupt memory, leading to crashes, denial of service, or memory corruption.

Impact Analysis

This vulnerability can lead to memory corruption or crashes in the affected Zephyr RTOS system. An attacker who can spoof DNS responses can exploit this flaw to cause denial of service by crashing the system or corrupting memory, potentially disrupting the normal operation of devices running the vulnerable versions of Zephyr.

Detection Guidance

This vulnerability involves a use-after-return condition triggered by DNS query retries without proper cancellation, which can lead to crashes or memory corruption when spoofed DNS responses are received.

Detection on your network or system would involve monitoring for unusual DNS resolver behavior such as repeated DNS query retries, semaphore timeouts, or crashes related to the getaddrinfo() function in Zephyr RTOS versions 4.0.0 through 4.4.0.

Since the vulnerability is triggered by spoofed or replayed DNS responses with specific 16-bit transaction IDs, network monitoring tools could be used to detect suspicious DNS traffic patterns or repeated DNS queries with the same transaction IDs.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update Zephyr RTOS to version 4.5.0 or later, where the vulnerability has been fixed.

The fix involves cancelling timed-out DNS queries before retrying and resetting the local semaphore to prevent stale callbacks from accessing invalid stack memory.

If upgrading is not immediately possible, consider applying the patch that introduces the helper function to cancel DNS queries by name, type, and DNS ID, and resets semaphore state between retries.

Additionally, network-level mitigations such as filtering or validating DNS responses to prevent spoofed or replayed DNS packets may reduce the risk of exploitation.

Compliance Impact

The vulnerability in Zephyr RTOS's getaddrinfo() implementation leads to potential crashes, denial of service, or memory corruption due to a use-after-return flaw exploitable by spoofed DNS responses.

While the CVE description and resources detail impacts on system integrity and availability, there is no direct information provided about effects on compliance with standards such as GDPR or HIPAA.

Therefore, based on the provided information, it is not possible to determine how this vulnerability specifically affects compliance with common regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10646. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart