PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10666 Zephyr Project CVE debrief

CVE-2026-10666 is a high-severity vulnerability in the Zephyr project's IPv4 address parsing functionality. The bug was introduced in Zephyr v1.9.0 and affects all releases up to v4.4.0. The vulnerability allows for potential memory corruption and denial of service via crafted address strings. This vulnerability is particularly concerning because it can be exploited through the standard socket API, DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path, making it a significant risk for developers and users of the Zephyr project.

Vendor
Zephyr Project
Product
Zephyr RTOS
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-12
Original CVE updated
2026-07-12
Advisory published
2026-07-12
Advisory updated
2026-07-12

Who should care

Developers and users of the Zephyr project, especially those who resolve network-influenced address strings, should be aware of this vulnerability and take necessary precautions. This includes reviewing and updating Zephyr project dependencies to ensure the fix is applied, validating and sanitizing network-influenced address strings, and implementing compensating controls to detect and prevent potential attacks.

Technical summary

The parse_ipv4() function in subsys/net/ip/utils.c copies the port substring into a fixed 17-byte stack buffer using an unbounded input length, allowing for a crafted address string with a long suffix after the colon to cause an out-of-bounds stack write. This can lead to memory corruption and denial of service. The fix removes the unbounded copy and validates the port length before copying into a small dedicated buffer. The vulnerability is reachable from the standard socket API, DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path.

Defensive priority

High

Recommended defensive actions

  • Review and update Zephyr project dependencies to ensure the fix is applied
  • Validate and sanitize network-influenced address strings
  • Implement compensating controls to detect and prevent potential attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-07-12T17:16:24.550Z and has not been modified since then. The NVD entry is currently 8.1 HIGH. This vulnerability affects the Zephyr project's IPv4 address parsing functionality, which is used in various components, including the standard socket API, DNS server-string configuration, and the eswifi Wi-Fi co-processor DNS-response path. The bug was introduced in Zephyr v1.9.0 and affects all releases up to v4.4.0. The vulnerability allows for potential memory corruption and denial of service via crafted address strings. The fix removes the unbounded copy and validates the port length before copying into a small dedicated buffer.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T17:16:24.550Z and has not been modified since then. The NVD entry is currently 8.1 HIGH.