CVE-2026-10643

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets inet.c, insert pktinfo()) validated the user-supplied ancillary (msg control) buffer using only the payload length (msg-msg controllen < pktinfo len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP PKTINFO/IPV6 RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi addr) is influenced by the received packet. The fix makes the capacity check use NET CMSG SPACE(pktinfo len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.