Unrated

Out-of-bounds write in Zephyr recvmsg() ancillary data handling

IdentifiersCVE-2026-10643CWE-787

CVE-2026-10643 is a memory corruption vulnerability in Zephyr’s IP socket recvmsg() ancillary-data handling, specifically in insert_pktinfo() in subsys/net/lib/sockets/sockets_inet.c. The implementation validated the user-supplied msg_control buffer using only the ancillary payload length (msg->msg_controllen < pktinfo_len) before writing a full control message composed of an aligned cmsg header plus payload. Because the check omitted the cmsg header size, undersized control buffers could pass validation and then be overrun during control message construction. For example, for IPv4 IP_PKTINFO on a 64-bit target, buffers in the 16-27 byte range can pass the check even though one control message element requires 28 bytes. This results in a fixed-size out-of-bounds write of up to approximately one cmsg header (~12 bytes) past the end of the buffer. In CONFIG_USERSPACE builds, recvmsg verification allocates a kernel-heap copy of the control buffer sized to msg_controllen and executes the vulnerable path against it, making the overflow a kernel-heap corruption reachable by an unprivileged userspace thread. In supervisor mode, the overflow corrupts the caller-provided buffer. Affected versions are Zephyr v3.6.0 through v4.4.0.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes memory corruption via an out-of-bounds write in ancillary control-message handling. In CONFIG_USERSPACE configurations, an unprivileged userspace thread can corrupt kernel heap memory, which can lead to kernel instability, crashes, denial of service, and potentially further exploitation depending on heap layout and target-specific hardening. In supervisor mode, the overwrite corrupts the caller’s buffer. The overwritten bytes are partially influenced by received packet data, including the destination IP stored in ipi_addr, which may improve attacker control over corruption contents.

Mitigation

If you can’t patch tonight, do this now.

Until patched, reduce exposure by avoiding CONFIG_USERSPACE where feasible, disabling or not using ancillary data options that reach the vulnerable path such as IP_PKTINFO, IPV6_RECVPKTINFO, hoplimit, and timestamping on UDP/IP sockets, and ensuring applications do not call recvmsg() with undersized msg_control buffers. Restrict untrusted userspace code from accessing affected socket functionality where possible.

Remediation

Patch, then assume compromise.

Update Zephyr to a patched release that corrects ancillary buffer capacity validation in recvmsg() by checking the full required control-message space with NET_CMSG_SPACE(pktinfo_len) rather than only the payload length. The corrected implementation returns -ENOMEM when the supplied control buffer is too small. All deployments using affected versions 3.6.0 through 4.4.0 should be upgraded to a fixed version.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 27, 2026

CVE-2026-10643 - Out-of-bounds heap write in Zephyr `recvmsg()` ancillary-data path (`insert_pktinfo` undersizes the control-buffer capacity check)

An out-of-bounds heap write in Zephyr's recvmsg() ancillary-data handling caused by an undersized control-buffer capacity check in insert_pktinfo(), potentially corrupting kernel heap memory under CONFIG_USERSPACE.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-10643

NVD

nvd.nist.gov/vuln/detail/CVE-2026-10643

MITRE CWE · CWE-787

cwe.mitre.org