🟠 《高危安全漏洞:CVE-2026-10643》

CVSS 评分: 高危(8.7)  状态: Received  发布时间: 2026-06-28

英文原文描述

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full control message consisting of an aligned cmsg header plus the payload. Because the check omitted the cmsg header size, a control buffer whose length falls in the under-checked window (e.g. 16-27 bytes for IPv4 IP_PKTINFO on a 64-bit target, where a single element actually occupies 28 bytes) passes the guard yet causes a fixed-size out-of-bounds write of up to one cmsg header (~12 bytes) past the end of the buffer. Under CONFIG_USERSPACE the recvmsg verifier allocates a kernel-heap copy of the control buffer sized to msg_controllen and runs the implementation against it, so the overflow corrupts kernel heap memory and is triggerable from an unprivileged userspace thread; in supervisor mode it corrupts the caller's buffer. The path is reachable on a UDP/IP socket with IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled when the application calls recvmsg() with an undersized control buffer and a datagram is received; part of the overwritten bytes (the destination IP in ipi_addr) is influenced by the received packet. The fix makes the capacity check use NET_CMSG_SPACE(pktinfo_len) (aligned header + aligned data) and returns -ENOMEM when the buffer is too small. Affected: v3.6.0 through v4.4.0.

🔍 技术细节

字段
CVE ID CVE-2026-10643
CVSS 评分 8.7 🟠
严重程度 高危
CVSS 向量 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
CWE 分类 CWE-787
发布时间 2026-06-28
最后更新 2026-06-28
状态 Received
数据来源 vulnerabilities@zephyrproject.org

🔗 参考链接

🤖 本文由 CVE 安全快讯机器人自动生成
英文描述已由 AI 自动翻译为中文,仅供参考,请以原文为准
数据来源: NVD (National Vulnerability Database) | 获取时间: 2026-06-28 18:15