Impact
Zephyr’s BSD‑socket getaddrinfo hierarchy uses an asynchronous DNS resolver that passes a stack‑allocated state object to the resolver’s callback mechanism. When a query times out, the original request is retried without cancelling the prior one and without resetting the semaphore that the caller waits on. The prior callback remains active, holding a stale pointer to the freed stack frame. A later UDP DNS reply (or delayed timeout work) satisfies that stale callback, writing into the out‑of‑scope stack memory via the held pointer. Because the 16‑bit transaction identifier of the reply is spoofable, an attacker on an untrusted network can send a fabricated response matching a pending transaction ID, triggering the use‑after‑return. The branch writes into the stack memory used by the application, causing memory corruption, application crashes or denial of service, but does not necessarily enable code execution. The weakness is a classic CWE‑416 use‑after‑free.
Affected Systems
The flaw resides in Zephyr operating system releases 4.0.0 through 4.4.0, specifically within subsys/net/lib/sockets/getaddrinfo.c. Any device running one of these Zephyr versions and performing DNS lookups via the standard socket API is potentially affected.
Risk and Exploitability
The vulnerability has a CVSS score of 7.4, classifying it as High severity. EPSS score of 0.00269 (0.269%) indicates a low probability of exploitation, and it is not listed in the CISA KEV catalog. The attack requires only an externally supplied DNS response over UDP, which an off‑ or on‑path attacker can forge or replay to match a pending query’s 16‑bit transaction ID. Because no privileged local access is needed, the risk is that an attacker on an untrusted network can corrupt the device’s stack, leading to crashes or denial of service. The lack of known exploitation data suggests the likelihood is low to moderate.
OpenCVE Enrichment