{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10643", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-06-02T15:11:44.894Z", "datePublished": "2026-06-27T22:59:22.007Z", "dateUpdated": "2026-06-27T22:59:22.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-06-27T22:59:22.007Z"}, "title": "Out-of-bounds heap write in Zephyr `recvmsg()` ancillary-data path (`insert_pktinfo` undersizes the control-buffer capacity check)", "descriptions": [{"lang": "en", "value": "Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0."}], "affected": [{"vendor": "zephyrproject", "product": "zephyr", "collectionURL": "https://github.com/zephyrproject-rtos/zephyr", "packageName": "zephyr", "defaultStatus": "unaffected", "versions": [{"version": "3.6.0", "status": "affected", "lessThan": "4.5.0", "versionType": "semver"}]}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/commit/01fe77b2ec3885583f709a17c5203ce02bd77012", "name": "Fix commit", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H", "baseScore": 8.7, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "bounds", "cweId": "CWE-787", "type": "CWE"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}}}

{}

{}

{}

{"created": "2026-06-28T01:00:04.831756+00:00", "updated": "2026-06-28T01:00:04.831768+00:00", "vendors": []}