Buffer Overflow in Zephyr TCP/IP Stack Affects Network Address Parsing
CVE-2026-10666
8.1HIGH
What is CVE-2026-10666?
The Zephyr RTOS contains a vulnerability within its TCP/IP stack where the parse_ipv4() function allows a specially crafted network address string to exploit a fixed-size stack buffer. An attacker can produce an out-of-bounds write via a long suffix in the address string, resulting in severe memory corruption. This vulnerability, which affects versions from 1.9.0 up to 4.4.0, can lead to denial of service and potential control-flow hijacking through the standard socket API and other network parsing functionalities. The issue stems from the lack of validation of the buffer size during the copy operation, making it critical for developers to patch their applications.
Affected Version(s)
zephyr 1.9.0 < 4.5.0
