Description
Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.
Published: 2026-06-27
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zephyr’s IP socket recvmsg() implementation validates the ancillary control buffer only against the payload length, omitting the c‑msg header size. A caller can craft a control buffer that passes this check but is too small for the full aligned header plus payload. The resulting out‑of‑bounds write occurs in kernel‑space heap memory when CONFIG_USERSPACE is enabled, or corrupts the caller’s buffer in supervisor mode, potentially allowing an attacker to overwrite critical kernel data and achieve remote code execution or denial of service.

Affected Systems

Zephyr Project Zephyr OS is affected for all releases from v3.6.0 through v4.4.0. These versions contain the buggy insert_pktinfo() implementation that performs the undersized buffer validation.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high‑severity vulnerability. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, but the attack vector is reachable via any UDP or IPv6 socket that has IP_PKTINFO/IPV6_RECVPKTINFO enabled. An unprivileged userspace thread can trigger the overflow by performing a recvmsg() call with an undersized control buffer while a datagram is received, leading to kernel heap corruption that could be leveraged for privilege escalation or arbitrary code execution.

Generated by OpenCVE AI on June 28, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zephyr to a release newer than v4.4.0 where the control‑buffer size check uses NET_CMSG_SPACE and returns -ENOMEM when too small.
  • If an upgrade is not immediately possible, ensure that every recvmsg() call supplies a control buffer sized at least NET_CMSG_SPACE(pktinfo_len); otherwise avoid enabling IP_PKTINFO/IPV6_RECVPKTINFO or related ancillary data options that trigger the overflow.
  • Apply the bug‑fix patch referenced in commit 01fe77b2ec3885583f709a17c5203ce02bd77012 to your Zephyr tree to correct the validation logic.

Generated by OpenCVE AI on June 28, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Description Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.
Title Out-of-bounds heap write in Zephyr `recvmsg()` ancillary-data path (`insert_pktinfo` undersizes the control-buffer capacity check)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-27T22:59:22.007Z

Reserved: 2026-06-02T15:11:44.894Z

Link: CVE-2026-10643

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T01:00:04Z

Weaknesses