CVE-2026-10643 describes a bounds checking vulnerability in the Zephyr project's IP socket recvmsg() function, specifically in the insert_pktinfo() code. The implementation validates the user-supplied ancillary control buffer length using only the payload length, ignoring the size of the aligned control message header. This allows a control buffer length in a certain range to pass the check but causes a fixed-size out-of-bounds write of up to one control message header past the buffer end. Under CONFIG_USERSPACE, this leads to kernel heap corruption, exploitable by an unprivileged userspace thread. The flaw is reachable on UDP/IP sockets with IP_PKTINFO/IPV6_RECVPKTINFO or related options enabled when recvmsg() is called with an undersized control buffer and a datagram is received. The fix involves using NET_CMSG_SPACE(pktinfo_len) for capacity checks and returning -ENOMEM if the buffer is too small. Affected versions are from 3.6.0 up to but not including 4.5.0.

The vulnerability allows an attacker with local unprivileged userspace access to cause a fixed-size out-of-bounds write in kernel heap memory, potentially leading to memory corruption. This can result in information disclosure, privilege escalation, or denial of service. The CVSS score of 8.7 reflects high impact with low attack complexity, requiring local privileges but no user interaction. The vulnerability compromises confidentiality, integrity, and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix involves correcting the buffer length check to include the control message header size and returning an error if the buffer is too small. Until an official patch is available, avoid enabling IP_PKTINFO/IPV6_RECVPKTINFO or related socket options on affected Zephyr versions or ensure that applications do not call recvmsg() with undersized control buffers.