PT-2026-57568 · Zephyr · Zephyr

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-10666

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Zephyr versions 1.9.0 through 4.4.0
Description The parse ipv4() function in subsys/net/ip/utils.c, which is accessed via net ipaddr parse() for strings formatted as "a.b.c.d:port", contains a flaw where it copies the port substring into a fixed 17-byte stack buffer. The copy operation uses a length derived from the full input length minus the offset of the colon delimiter, without verifying the destination buffer size. A crafted address string with a long suffix after the colon can trigger an out-of-bounds stack write, leading to memory corruption, denial of service, or potential control-flow hijack. This issue is reachable through the standard socket API (specifically zsock getaddrinfo or literal-address resolution), DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path.
Recommendations Update Zephyr to a version later than 4.4.0 to ensure the unbounded copy is removed and port length is validated before copying. As a temporary mitigation, restrict the use of network-influenced address strings in zsock getaddrinfo and DNS configurations.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10666

Affected Products

Zephyr