Hello all,
Recently we faced a issue in our project that is very likely related to NVD - CVE-2026-10646. This vulnerability is mitigated in commit cd27da58e on the Zephyr repository.
Some days ago we received the announcement of SDK v3.4.0, which is based on Zephyr OS v4.4. It seems that this Zephyr version was released just few days before commit cd27da58e was made. Before we migrate to the latest SDK, we would like to know if it already includes the mentioned commit for mitigating the CVE, or if it is planned to be included in a future patch-level version.
In the case that there are no plans to release this patch in the short term, is it possible to force the project to point to a given version of the Zephyr repository, or will it collide with any internal SDK / toolchain check? We use the nRF extensions for VS Code, and very seldom execute raw 'west' commands.
Thank you very much in advance.