External risk intelligence

Zephyr RTOS Network Address Parsing Stack Buffer Overflow

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-10666

The vulnerability resides in a core RTOS network parser. It is reachable via standard socket APIs, DNS processing, and Wi-Fi co-processor logic. Since Zephyr is used in diverse IoT applications, exposure depends on whether a specific product processes untrusted network address strings. While widespread in the codebase, actual external accessibility varies by device implementation.

Denial of Service

Zephyrproject Zephyr

1.9.0 to 4.4.1

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects a network parsing function within the Zephyr Real-Time Operating System, which could allow an attacker to corrupt memory and potentially take control of a device by sending a specially crafted network address. The main concern is confirming relevance and exposure within your deployed systems.

  • Network address parsing flaw.
  • Affects devices processing network addresses.
  • Confirm if your systems are affected.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted network address string to a device running vulnerable Zephyr software. This string, when processed by the `parse_ipv4()` function, can cause an out-of-bounds write to the stack. This memory corruption can lead to a denial-of-service or potentially allow an attacker to gain control of the device's execution flow.

  • Network access to the device.
  • Parsing of a malformed IPv4 address string.
  • Memory corruption, denial-of-service, or control-flow hijack.

Live Threat

Current exploitation, exposure, and threat context

A crafted network address string could lead to an out-of-bounds write on the stack when processing IP addresses with port information. This could result in memory corruption, potentially leading to a denial of service or control-flow hijack in applications that resolve network-influenced address strings, such as those using standard socket APIs or configured via DNS.

  • System memory could be corrupted.
  • An attacker could send a malformed address.
  • Denial of service or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Zephyr RTOS network IP address parsing function is critical and exposed through standard socket APIs, DNS resolution, and Wi-Fi co-processor paths, making it a concern for application owners and platform teams. The immediate first step is to identify all deployments of the affected Zephyr versions, determine reachability and business criticality, and then assign ownership for remediation planning.

  • Application and platform teams own the issue.
  • Verify affected technology reachability and criticality.
  • Plan remediation based on identified risks.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Zephyr RTOS?

Zephyr is a real-time operating system (RTOS) designed for resource-constrained devices, such as IoT sensors, wearables, and industrial controllers. It provides the core networking stack and drivers that manage how these embedded devices communicate over networks, making it a foundation for many connected embedded products.

What does CVE-2026-10666 mean?

This CVE identifies a buffer overflow weakness, classified as CWE-121 (Stack-based Buffer Overflow). It occurs when the software tries to write more data into a fixed memory area than it can hold. Because the system fails to check the size of the input, a specifically crafted address string can overwrite adjacent memory, which might cause the device to crash or allow an attacker to alter its execution.

How is this vulnerability triggered?

It is triggered when the system parses an IPv4 address string containing a colon followed by a port number. If the input includes a maliciously long sequence after the colon, the internal function copies this data into a buffer that is too small. Simple IPv4 strings without a port suffix or those with standard, short port numbers do not trigger this specific memory corruption error.

Is my device at risk?

Risk depends on whether your device processes untrusted network address strings. Halo Surface Signal notes this vulnerability is reachable through socket APIs, DNS configurations, and Wi-Fi co-processor interactions. If your product resolves addresses from external network traffic, it may be exposed. The vulnerability is less relevant for devices that do not handle remote network configuration or input.

What should I do if I use Zephyr?

Start by identifying all deployments running Zephyr versions 1.9.0 through 4.4.1. Once identified, evaluate if your application uses the affected parsing functions by processing network-influenced address strings. Prioritize your response based on the device's exposure to external networks and business impact, and coordinate with your platform team to schedule the necessary software updates.

References