Network-influenced Use-After-Return Vulnerability in Zephyr BSD Sockets
CVE-2026-10646

7.4HIGH

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 28 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10646?

The vulnerability in Zephyr's implementation of getaddrinfo() relates to improper handling of asynchronous DNS resolver queries. By passing a pointer to a stack-allocated object without proper cancellation of previous queries, there is potential for network packets to invoke callbacks with expired stack references. This leads to potential memory corruption or denial of service due to an attacker being able to replay or spoof the DNS responses, resulting in stack memory being incorrectly manipulated.

Affected Version(s)

zephyr 4.0.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/cd27d...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 28, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10646 Data

JSON