CVE-2026-10666
Received Received - Intake

Stack Buffer Overflow in Zephyr RTOS IP Address Parser

Vulnerability report for CVE-2026-10666, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: Zephyr Project

Description

parse_ipv4() in subsys/net/ip/utils.c (reached via net_ipaddr_parse() for strings of the form "a.b.c.d:port") copies the port substring into a fixed 17-byte stack buffer (char ipaddr[NET_IPV4_ADDR_LEN + 1]) using a length of str_len - end - 1, where str_len is the full, unbounded input length and end is only the (<=15-byte) offset of the ':' delimiter. Because the destination size is never consulted, a crafted address string with a long suffix after the colon (e.g. "1.2.3.4:" followed by hundreds of bytes) causes an out-of-bounds stack write whose length and contents are fully attacker-controlled (memcpy of the suffix plus a trailing NUL), enabling memory corruption and at minimum a denial of service, and potentially control-flow hijack. The parser is reached from the standard socket API (zsock_getaddrinfo / literal-address resolution), DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path, so an application that resolves a network-influenced address string is exposed. The bug was introduced when the parser was added (Zephyr v1.9.0) and shipped in all releases through v4.4.0. The fix removes the unbounded copy and validates the port length before copying into a small dedicated buffer. Note: the equivalent IPv6 "[addr]:port" path in parse_ipv6() retains the same unbounded copy at this commit and remains a separate, still-reachable instance of the defect.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 1.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10666 is a stack-based buffer overflow vulnerability in the Zephyr RTOS project, specifically in the parse_ipv4() function within the net_ipaddr_parse() API. The vulnerability occurs when parsing IPv4 address strings that include a port number (in the form "a.b.c.d:port"). The code copies the port substring into a fixed-size 17-byte stack buffer without proper bounds checking, using a length calculation that can exceed the buffer size. This allows an attacker to craft an input string with a very long port suffix, causing an out-of-bounds write on the stack.

This overflow can lead to memory corruption, resulting in at least a denial of service and potentially allowing an attacker to hijack control flow or execute arbitrary code remotely. The vulnerability affects all Zephyr versions from v1.9.0 through v4.4.0 before the fix was applied.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service or potentially execute arbitrary code remotely on a device running the affected Zephyr RTOS versions. Since the flaw is reachable via standard socket API calls and DNS-related configurations, any application that resolves network-influenced address strings is exposed.

Exploitation could lead to memory corruption, crashing the system or enabling control-flow hijacking, which could compromise the security and stability of your device or application.

Detection Guidance

This vulnerability involves a stack-based buffer overflow in the parse_ipv4 function when parsing IPv4 address strings with a port suffix. Detection can focus on identifying network traffic or logs containing malformed IPv4 address strings with unusually long port suffixes following a colon, such as "1.2.3.4:" followed by hundreds of bytes.

To detect exploitation attempts or vulnerable inputs, you can monitor network traffic for suspicious address strings or use application-level logging to capture inputs to the net_ipaddr_parse API or related socket API calls.

While no specific commands are provided in the resources, a general approach could include using packet capture tools like tcpdump or Wireshark with filters for IPv4 addresses containing colons and unusually long port fields.

  • Use tcpdump to capture traffic with suspicious IPv4 addresses: tcpdump -A -s 0 'tcp or udp' | grep -E '\b([0-9]{1,3}\.){3}[0-9]{1,3}:.{10,}'
  • Inspect application logs for inputs to network address parsing functions that include long port suffixes.
Mitigation Strategies

The immediate mitigation step is to update the Zephyr RTOS to a version where the vulnerability has been patched. The fix removes the unbounded copy and validates the port length before copying into the buffer.

Patches have been merged into the main branch and versions 4.4, 4.3, and 3.7 of Zephyr. Applying these updates will prevent exploitation of this buffer overflow.

Additionally, avoid processing untrusted or malformed IPv4 address strings with port suffixes until the patch is applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10666. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart