CVE-2026-5066 - Vulnerability Details

Description

A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating it against the destination size. struct net_sockaddr is an opaque type, so an application can pass an addrlen larger than sizeof(struct net_sockaddr) (for example 128 bytes into a 24-byte stack buffer), causing the memcpy to read and write past the end of the address memory used by the TLS session cache. This out-of-bounds write can lead to a crash and denial of service, and potentially to arbitrary code execution.

Published: 2026-06-04

Score: 6.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is located in the TLS socket connect path of Zephyr’s network sockets subsystem. An address length supplied by the caller is copied into a fixed‑size buffer without bounds checking, leading to an out‑of‑bounds write or read. This flaw can crash the system or, in the worst case, allow attackers to execute arbitrary code, as classified by CWE‑787. The CVSS score reflects a moderate risk, but the potential for code execution warrants timely attention.

Affected Systems

Zephyr RTOS, specific versions not enumerated in the advisory. The issue appears when the TLS session cache feature is enabled in the Zephyr kernel.

Risk and Exploitability

The vulnerability has a CVSS score of 6.3, an EPSS score is not available, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw by initiating a TLS connection that supplies an oversized address length during the connect operation. The exploit would likely lead to a crash or, if successful, arbitrary code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zephyrproject-rtos

Zephyr

unaffected

Version	Status	Constraints
`*`	affected	≤ 4.3

No data.

Vendor Product Confidence Versions

Zephyrproject-rtos

Zephyr

100%

Version	Status	Scheme	Platform
`[0,4.3]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Zephyr to a release that contains the defect fix for CVE‑2026‑5066.
Temporarily disable TLS session caching by setting CONFIG_NET_TLS_SESSION_CACHE=n in the project configuration until the patch can be applied.
Continue to monitor Zephyr’s security advisory page for updated fixes and apply subsequent releases promptly.

Generated by OpenCVE AI on June 4, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgrc-jrf6-24f3

History

Thu, 04 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zephyrproject-rtos Zephyrproject-rtos zephyr
Vendors & Products		Zephyrproject-rtos Zephyrproject-rtos zephyr

Thu, 04 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating it against the destination size. struct net_sockaddr is an opaque type, so an application can pass an addrlen larger than sizeof(struct net_sockaddr) (for example 128 bytes into a 24-byte stack buffer), causing the memcpy to read and write past the end of the address memory used by the TLS session cache. This out-of-bounds write can lead to a crash and denial of service, and potentially to arbitrary code execution.
Title		net: sockets: tls: Potential out-of-bounds write/read in socket_op_vtable::connect function
Weaknesses		CWE-787
References		https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgrc-jrf6-24f3
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Zephyrproject-rtos Zephyr

MITRE

Status: PUBLISHED

Assigner: zephyr

Published: 2026-06-04T20:31:25.630Z

Updated: 2026-06-04T20:31:25.630Z

Reserved: 2026-03-27T22:19:50.768Z

Link: CVE-2026-5066

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-04T21:16:30.907

Modified: 2026-06-04T21:16:30.907

Link: CVE-2026-5066

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T22:30:25Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object