eastbaycyber

CVE-2026-10646: Zephyr RTOS DNS Memory Corruption

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-28
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-10646
CVSS score 7.4 High
Attack vector Unknown from available source material
Authentication required Unknown from available source material
Patch status Upstream fix commit available
KEV status Not listed in CISA KEV
Public PoC None verified from available sources
Exploitation in the wild None verified from available sources

TL;DR - Zephyr RTOS has a high-severity memory-safety flaw in getaddrinfo() async DNS handling. - Systems using vulnerable pre-fix code should review Zephyr versions and apply the upstream fix. - No confirmed in-the-wild exploitation is known, but the bug can plausibly cause crashes and memory corruption.

What is CVE-2026-10646?

CVE-2026-10646 is a memory-safety issue in Zephyr RTOS, specifically in the BSD sockets getaddrinfo() implementation under subsys/net/lib/sockets/getaddrinfo.c. The flaw occurs when a pointer to a stack-allocated state object is passed into an asynchronous DNS resolver query as callback context. Under certain timeout and retry conditions, that context can later be used after the original stack frame is no longer valid.

In practical terms, the bug is a stale callback or use-after-scope condition in the DNS resolution path. If an earlier DNS query remains active and later fires a callback, the callback may write into memory that used to hold the getaddrinfo() state on the stack. That can corrupt memory, destabilize the network stack, or crash the target. Because the trigger involves DNS replies and timeout handling, this matters for connected Zephyr deployments that rely on hostname resolution in real operating conditions, not just lab-only edge cases.

AnalystImpact · assess the risk

Quick impact assessment for defenders

The main security takeaway is that this is not just a benign logic bug. The vulnerability sits in a network-facing code path and involves asynchronous callback execution against expired stack memory. Even when exact exploitation conditions are not fully documented publicly, memory corruption bugs in network processing paths should be treated seriously in embedded environments because they often manifest first as intermittent crashes, resolver instability, or unexplained resets.

The available source material supports denial-of-service and undefined behavior as realistic outcomes. It does not provide enough detail to responsibly claim full remote code execution, so defenders should avoid overstating the risk. Still, if your device accepts or initiates DNS traffic and uses vulnerable Zephyr code paths, the right working assumption is that a network-triggerable memory corruption condition exists and patching should be prioritized accordingly.

Affected products and versions

The affected product is Zephyr RTOS. What is confirmed from the available source material is that the flaw exists in pre-fix Zephyr code handling getaddrinfo() asynchronous DNS resolution. The NVD entry and upstream references confirm the component and the existence of a fix commit.

The exact affected version range and the fixed release version number were not verifiable from the source material provided here. That matters because version precision is important for fleet triage, but inventing ranges would be misleading. Defenders should therefore assume that any Zephyr build containing the vulnerable pre-fix implementation in subsys/net/lib/sockets/getaddrinfo.c is affected until they verify inclusion of the upstream fix commit cd27da58eedb8d0fe380dd340b81ca5afa35de45 or a vendor release note explicitly stating the patch is included.

Technical Notes

You can check whether your Zephyr source tree includes the fix commit if you maintain source-based builds:

git -C /path/to/zephyr rev-parse --verify cd27da58eedb8d0fe380dd340b81ca5afa35de45

If the commit is present, Git will return the commit ID. If not, it will error. You can also inspect the affected file history:

git -C /path/to/zephyr log --oneline -- subsys/net/lib/sockets/getaddrinfo.c

For downstream SDKs or vendor firmware, verify the bundled Zephyr revision:

git -C /path/to/your/project submodule status
west list

If your vendor does not disclose the Zephyr base revision, assume exposure until they confirm patch status.

Technical root cause

The root cause is a mismatch between stack object lifetime and asynchronous callback lifetime. getaddrinfo() creates a stack-allocated state object, often described in the advisory context as struct getaddrinfo_state ai_state, and passes its pointer as user_data to the asynchronous DNS resolver. That pattern is safe only if all callbacks are guaranteed to complete before the function returns or if outstanding operations are canceled reliably.

The bug appears when the socket layer waits on a semaphore and times out with -EAGAIN, then retries the request without canceling the prior query and without resetting synchronization state properly. The earlier resolver slot remains active, but the tracking field for cancellation is overwritten on retry. Later, either a delayed DNS response or delayed resolver timeout work triggers dns_resolve_cb() using the stale pointer. At that point, the callback operates on an out-of-scope stack frame, creating memory corruption.

Technical Notes

The conditions explicitly called out in the available description include workqueue contention and a documented multi-retry configuration where:

CONFIG_NET_SOCKETS_DNS_TIMEOUT > CONFIG_NET_SOCKETS_DNS_BACKOFF_INTERVAL

That means this is not purely academic. Timing-related failures become more plausible when embedded systems are busy, under load, or configured for retries. In constrained RTOS environments, delayed workqueue execution is common enough that defenders should not dismiss this as unreachable.

A simplified conceptual flow looks like this:

struct getaddrinfo_state ai_state;   // stack object
dns_id = dns_get_addr_info(..., dns_resolve_cb, &ai_state);

ret = k_sem_take(&ai_state.sem, timeout);
if (ret == -EAGAIN) {
    // vulnerable behavior before fix:
    // retry without canceling previous query
    // stale callback still references &ai_state
    goto again;
}

// function returns, ai_state goes out of scope
// delayed callback later runs against invalid stack memory

Exploitation status and attacker considerations

As of 2026-06-28, there is no verified evidence from the provided primary sources that CVE-2026-10646 is being exploited in the wild. It is not listed in the CISA Known Exploited Vulnerabilities catalog, which means there is no CISA-confirmed active exploitation signal at this time. That is useful context for prioritization, but it should not be read as a guarantee of safety.

There is also no verified public proof-of-concept in the materials available here. The known references point to the NVD entry, the upstream fix commit, and the GitHub Security Advisory. In the absence of a public PoC, defenders should still assume reproductions are possible for capable researchers because the bug mechanics are clearly described: timeout handling, retry logic, async DNS callbacks, and stale stack context.

Prioritization guidance for SMBs and embedded teams

If you are an SMB using third-party appliances built on Zephyr, the most important action is to ask vendors whether their firmware includes the fix commit or an equivalent patched Zephyr release. Because exact version ranges were not verifiable from the source material here, vendor attestation is essential. Ask for the embedded Zephyr revision, patch inclusion status, and estimated firmware release date.

For internal engineering teams building on Zephyr directly, treat this as a high-priority networking patch, especially if your product performs DNS lookups during startup, cloud registration, MQTT bootstrap, OTA workflows, or dynamic service discovery. Those are the kinds of real-world operations that can repeatedly invoke getaddrinfo() and increase the chances of hitting retry and timeout paths.

Bottom line

CVE-2026-10646 is a high-severity Zephyr RTOS memory-safety flaw in getaddrinfo() asynchronous DNS handling. The bug is serious because it combines network-triggered timing behavior with stale callback state and expired stack memory. There is no verified evidence of exploitation in the wild and no verified public PoC from the available materials, but defenders should still prioritize patch validation.

The most responsible stance is simple: do not guess based on severity labels alone, and do not wait for KEV listing before acting. Verify whether your Zephyr build includes commit cd27da58eedb8d0fe380dd340b81ca5afa35de45, work with vendors to confirm patch status, and test DNS-heavy workflows for signs of instability until patched.

For more information on related vulnerabilities, check out our articles on what is JWT and passkeys standards.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

ResponderRunbook · act now

Detection and exposure validation

Detection is more about identifying vulnerable behavior and crash indicators than searching for a mature exploit signature. Because the issue hinges on DNS timing, retry behavior, and delayed callbacks, the strongest signals are likely to be resolver errors, getaddrinfo() instability, watchdog resets after DNS activity, and unexplained faults in networking-heavy code paths.

If you operate Zephyr-based products, start by correlating DNS activity with crashes or assertion failures. Devices that perform hostname lookups under load, intermittent network quality, or heavy workqueue contention deserve extra scrutiny. If you have test environments, intentionally stress DNS timing and retry behavior while monitoring for faults, hangs, or memory corruption symptoms.

Technical Notes

Look for log patterns around semaphore timeouts, DNS query retries, and resolver callback behavior. Exact messages vary by build and logging configuration, so start with broad patterns:

getaddrinfo
dns
resolver
-EAGAIN
timeout
workqueue
fault
hard fault
watchdog
reset

A practical grep across captured UART or serial logs:

grep -Ei 'getaddrinfo|dns|resolver|-EAGAIN|timeout|fault|watchdog|reset' zephyr-device.log

If you export logs into a SIEM, a simple query pattern could look like:

SELECT timestamp, device_id, message
FROM zephyr_logs
WHERE message REGEXP '(getaddrinfo|dns|resolver|-EAGAIN|timeout|fault|watchdog|reset)'
ORDER BY timestamp DESC;

On the network side, repeated DNS retries from the same device followed by instability are worth investigating. A packet-capture filter for DNS traffic to or from the device:

tcpdump -ni any 'udp port 53 and host <device-ip>'

If you are validating exploitability in a lab, observe whether delayed or repeated DNS responses correlate with device crashes. That is not a production detection signature, but it is a concrete way to confirm exposure.

Mitigation and patching

The primary mitigation is to move to a Zephyr build that includes the upstream fix commit cd27da58eedb8d0fe380dd340b81ca5afa35de45. Because the exact fixed release version was not verifiable from the source material here, the safest operational guidance is commit-based verification for source consumers and explicit vendor confirmation for packaged firmware consumers.

If you cannot patch immediately, reduce exposure by limiting or tightly controlling DNS resolution from affected devices where feasible. This is not a complete fix. The bug exists in the logic path itself, so workaround value depends on whether your application can avoid getaddrinfo() or reduce resolver stress. For critical embedded systems, isolating outbound DNS behavior and avoiding unstable resolver timing conditions may lower risk until a patched build is deployed.

Technical Notes

For source-based Zephyr projects, fetch and integrate the upstream fix:

cd /path/to/zephyr
git fetch origin
git cherry-pick cd27da58eedb8d0fe380dd340b81ca5afa35de45

Then rebuild your firmware:

west build -b <your_board> /path/to/your/app --pristine

If your project pins Zephyr through a manifest, update and resync:

west update
west build -b <your_board> /path/to/your/app --pristine

If immediate patching is impossible, review DNS timing-related configuration and application behavior. The available description specifically notes a reachable timeout condition when:

CONFIG_NET_SOCKETS_DNS_TIMEOUT > CONFIG_NET_SOCKETS_DNS_BACKOFF_INTERVAL

A temporary risk-reduction step is to review and normalize those values in your Zephyr configuration, while understanding this is not a substitute for the patch:

# Example review target in prj.conf or overlay config
CONFIG_NET_SOCKETS_DNS_TIMEOUT=<value>
CONFIG_NET_SOCKETS_DNS_BACKOFF_INTERVAL=<value>

Also consider replacing hostname-based network flows with static IP configuration where operationally acceptable until patched. That workaround may be viable for fixed infrastructure devices, but it is application-dependent and does not remove the vulnerable code from firmware.

References

Last verified: 2026-06-28

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.