CVE-2026-10666

Zephyr Project · Zephyr

A memory-safety vulnerability in the parse_ipv4() function within the Zephyr RTOS networking stack may allow for potential remote code execution or system instability.

Executive summary

A critical memory-safety vulnerability in the Zephyr RTOS networking stack could allow an unauthenticated remote attacker to compromise system integrity.

Vulnerability

The parse_ipv4() function in subsys/net/ip/utils is susceptible to a memory-safety issue (CWE-787). This allows an unauthenticated attacker to trigger an out-of-bounds write via maliciously crafted network traffic.

Business impact

As this affects the networking stack of an RTOS, a successful exploit could lead to full system compromise, including remote code execution, denial of service, or unauthorized control of the embedded device. The CVSS score of 8.1 reflects the high potential for impact on connected devices, which are often critical components of industrial or IoT infrastructure.

Remediation

Immediate Action: Upgrade to the latest available version of the Zephyr RTOS (targeted at 4.5.0 or later) as provided by the vendor.

Proactive Monitoring: Monitor network traffic for malformed IPv4 packets that may trigger crashes or unexpected behavior in the network stack.

Compensating Controls: Implement network segmentation and firewall rules to restrict traffic to only known, trusted sources, reducing the attack surface for the networking stack.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

The severity of this memory corruption vulnerability necessitates immediate action, particularly for devices deployed in public-facing or untrusted network environments. Developers should integrate the provided fix commits into their downstream distributions to ensure system security.