CVE-2026-10646: use-after-free in zephyrproject zephyr
A use-after-free vulnerability exists in Zephyr's BSD-sockets getaddrinfo() implementation due to improper handling of asynchronous DNS resolver queries. This flaw allows a stale callback to access a stack-allocated state object after it has gone out of scope, potentially leading to memory corruption or denial of service. The vulnerability affects Zephyr versions 4.0.0 through 4.4.0. The issue arises when a DNS query times out and is retried without cancelling the previous query, enabling an attacker to influence the stale callback via spoofed or replayed network responses.
AI Analysis
Technical Summary
Zephyr's getaddrinfo() function in the BSD-sockets implementation passes a pointer to a stack-allocated state object as user_data to an asynchronous DNS resolver query. If the semaphore wait times out due to resolver delays or multi-retry configurations, the code retries the query without cancelling the previous one or resetting the semaphore. This leaves the previous query active with a stale pointer to the stack object. Subsequent DNS responses or timeout work invoke a callback using this invalid pointer, causing use-after-return memory corruption. The vulnerability is exploitable by an attacker capable of spoofing or replaying UDP DNS responses, potentially causing crashes or denial of service. The flaw affects Zephyr versions from 4.0.0 up to but not including 4.5.0.
Potential Impact
An attacker able to send spoofed or replayed UDP DNS responses can trigger a use-after-return condition, corrupting stack memory. This can lead to application crashes or denial of service. There is no direct confidentiality impact reported. The CVSS 3.1 score is 7.4 (High) with network attack vector, high impact on integrity and availability, and no privileges or user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix involves cancelling timed-out queries before retrying and resetting the semaphore to prevent stale callbacks. Until an official patch or update is released, users should monitor the vendor's advisories for updates and consider mitigating exposure to untrusted networks if feasible.
CVE-2026-10646: use-after-free in zephyrproject zephyr
Description
A use-after-free vulnerability exists in Zephyr's BSD-sockets getaddrinfo() implementation due to improper handling of asynchronous DNS resolver queries. This flaw allows a stale callback to access a stack-allocated state object after it has gone out of scope, potentially leading to memory corruption or denial of service. The vulnerability affects Zephyr versions 4.0.0 through 4.4.0. The issue arises when a DNS query times out and is retried without cancelling the previous query, enabling an attacker to influence the stale callback via spoofed or replayed network responses.
CVSS v3.1
Score 7.4high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Zephyr's getaddrinfo() function in the BSD-sockets implementation passes a pointer to a stack-allocated state object as user_data to an asynchronous DNS resolver query. If the semaphore wait times out due to resolver delays or multi-retry configurations, the code retries the query without cancelling the previous one or resetting the semaphore. This leaves the previous query active with a stale pointer to the stack object. Subsequent DNS responses or timeout work invoke a callback using this invalid pointer, causing use-after-return memory corruption. The vulnerability is exploitable by an attacker capable of spoofing or replaying UDP DNS responses, potentially causing crashes or denial of service. The flaw affects Zephyr versions from 4.0.0 up to but not including 4.5.0.
Potential Impact
An attacker able to send spoofed or replayed UDP DNS responses can trigger a use-after-return condition, corrupting stack memory. This can lead to application crashes or denial of service. There is no direct confidentiality impact reported. The CVSS 3.1 score is 7.4 (High) with network attack vector, high impact on integrity and availability, and no privileges or user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix involves cancelling timed-out queries before retrying and resetting the semaphore to prevent stale callbacks. Until an official patch or update is released, users should monitor the vendor's advisories for updates and consider mitigating exposure to untrusted networks if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:11:49.060Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a40ac0127e9c79719547629
Added to database: 06/28/2026, 05:07:13 UTC
Last enriched: 06/28/2026, 05:21:15 UTC
Last updated: 06/28/2026, 07:17:26 UTC
Views: 19
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.