CVE-2026-5066
Awaiting Analysis Awaiting Analysis - Queue
Out-of-Bounds Write in Zephyr RTOS Network Sockets TLS

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: Zephyr Project

Description
A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating it against the destination size. struct net_sockaddr is an opaque type, so an application can pass an addrlen larger than sizeof(struct net_sockaddr) (for example 128 bytes into a 24-byte stack buffer), causing the memcpy to read and write past the end of the address memory used by the TLS session cache. This out-of-bounds write can lead to a crash and denial of service, and potentially to arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-26
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-5066
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an out-of-bounds write and read issue in the TLS socket connect path of the network sockets subsystem. Specifically, when the TLS session cache is enabled, the functions tls_session_store() and tls_session_restore() use memcpy to copy data from a caller-supplied address into a fixed-size buffer. However, they do not validate the length of the data (addrlen) against the size of the destination buffer. Because the struct net_sockaddr is opaque, an application can supply an addrlen larger than the actual buffer size, causing memcpy to read and write beyond the intended memory boundaries.

This out-of-bounds memory access can lead to a crash, resulting in denial of service, and may also allow an attacker to execute arbitrary code.

Impact Analysis

The vulnerability can cause a system crash leading to denial of service, disrupting normal operations.

Additionally, because it involves out-of-bounds memory writes, it may allow an attacker to execute arbitrary code, potentially compromising system security and control.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability occurs when a TLS socket is created with an addrlen value larger than the size of struct net_sockaddr, causing out-of-bounds memory access during memcpy operations in the TLS session cache functions.

To detect this vulnerability on your system, you should check if your Zephyr RTOS version is vulnerable (versions <= 4.3) and if the TLS session cache is enabled.

Since the issue involves malformed addrlen values passed to socket connect operations, monitoring or logging socket connect calls with unusually large addrlen values could help detect exploitation attempts.

However, no specific detection commands or network signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to update your Zephyr RTOS to a patched version where this vulnerability is fixed. Patches are available for versions 4.3, 4.2, and 3.7.

If updating immediately is not possible, consider disabling the TLS session cache feature to prevent the vulnerable memcpy operations from occurring.

Additionally, ensure that applications do not pass addrlen values larger than sizeof(struct net_sockaddr) to socket connect calls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart