PT-2026-57568 · Zephyr · Zephyr
Published
2026-07-12
·
Updated
2026-07-12
·
CVE-2026-10666
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zephyr versions 1.9.0 through 4.4.0
Description
The
parse ipv4() function in subsys/net/ip/utils.c, which is accessed via net ipaddr parse() for strings formatted as "a.b.c.d:port", contains a flaw where it copies the port substring into a fixed 17-byte stack buffer. The copy operation uses a length derived from the full input length minus the offset of the colon delimiter, without verifying the destination buffer size. A crafted address string with a long suffix after the colon can trigger an out-of-bounds stack write, leading to memory corruption, denial of service, or potential control-flow hijack. This issue is reachable through the standard socket API (specifically zsock getaddrinfo or literal-address resolution), DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path.Recommendations
Update Zephyr to a version later than 4.4.0 to ensure the unbounded copy is removed and port length is validated before copying.
As a temporary mitigation, restrict the use of network-influenced address strings in
zsock getaddrinfo and DNS configurations.Fix
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zephyr