Impact
Zephyr’s IP socket recvmsg() implementation validates the ancillary buffer only against its payload length, ignoring the size of the aligned cmsg header. An attacker can craft a buffer that passes this check yet is too small for the full header plus payload, causing an out‑of‑bounds write during recvmsg(). When CONFIG_USERSPACE is enabled, the overflow corrupts kernel‑space heap memory and can be triggered by an unprivileged userspace thread; in supervisor mode it corrupts the caller’s buffer. The resulting kernel heap corruption enables an attacker to overwrite critical kernel data, allowing remote code execution or denial of service.
Affected Systems
Zephyr Project Zephyr OS is affected for all releases from v3.6.0 through v4.4.0. These versions contain the buggy insert_pktinfo() implementation that performs the undersized buffer validation.
Risk and Exploitability
The CVSS score of 8.7 classifies this as a high‑severity vulnerability. The EPSS score is low, at < 1%, and the issue is not listed in the CISA KEV catalog, but the attack vector is reachable via any UDP or IPv6 socket that has IP_PKTINFO/IPV6_RECVPKTINFO enabled. An unprivileged userspace thread can trigger the overflow by performing a recvmsg() call with an undersized control buffer while a datagram is received, leading to kernel heap corruption that could be leveraged for privilege escalation or arbitrary code execution.
OpenCVE Enrichment