PatchSiren cyber security CVE debrief
CVE-2026-10666 Zephyr Project CVE debrief
CVE-2026-10666 is a high-severity vulnerability in the Zephyr project's IPv4 address parsing functionality. The bug was introduced in Zephyr v1.9.0 and affects all releases up to v4.4.0. The vulnerability allows for potential memory corruption and denial of service via crafted address strings. This vulnerability is particularly concerning because it can be exploited through the standard socket API, DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path, making it a significant risk for developers and users of the Zephyr project.
- Vendor
- Zephyr Project
- Product
- Zephyr RTOS
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Developers and users of the Zephyr project, especially those who resolve network-influenced address strings, should be aware of this vulnerability and take necessary precautions. This includes reviewing and updating Zephyr project dependencies to ensure the fix is applied, validating and sanitizing network-influenced address strings, and implementing compensating controls to detect and prevent potential attacks.
Technical summary
The parse_ipv4() function in subsys/net/ip/utils.c copies the port substring into a fixed 17-byte stack buffer using an unbounded input length, allowing for a crafted address string with a long suffix after the colon to cause an out-of-bounds stack write. This can lead to memory corruption and denial of service. The fix removes the unbounded copy and validates the port length before copying into a small dedicated buffer. The vulnerability is reachable from the standard socket API, DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path.
Defensive priority
High
Recommended defensive actions
- Review and update Zephyr project dependencies to ensure the fix is applied
- Validate and sanitize network-influenced address strings
- Implement compensating controls to detect and prevent potential attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-12T17:16:24.550Z and has not been modified since then. The NVD entry is currently 8.1 HIGH. This vulnerability affects the Zephyr project's IPv4 address parsing functionality, which is used in various components, including the standard socket API, DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path. The bug was introduced in Zephyr v1.9.0 and affects all releases up to v4.4.0. The vulnerability allows for potential memory corruption and denial of service via crafted address strings. The fix removes the unbounded copy and validates the port length before copying into a small dedicated buffer.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T17:16:24.550Z and has not been modified since then. The NVD entry is currently 8.1 HIGH.