<?xml version="1.0" encoding="UTF-8" ?>
<?xml-stylesheet type="text/xsl" href="https://devzone.nordicsemi.com/cfs-file/__key/system/syndication/rss.xsl" media="screen"?><rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>CVE-2026-10646 mitigation in SDK 3.4.0?</title><link>https://devzone.nordicsemi.com/f/nordic-q-a/128640/cve-2026-10646-mitigation-in-sdk-3-4-0</link><description>Hello all, 
 Recently we faced a issue in our project that is very likely related to NVD - CVE-2026-10646 . This vulnerability is mitigated in commit cd27da58e on the Zephyr repository. 
 Some days ago we received the announcement of SDK v3.4.0, which</description><dc:language>en-US</dc:language><generator>Telligent Community 13</generator><lastBuildDate>Mon, 06 Jul 2026 13:33:10 GMT</lastBuildDate><atom:link rel="self" type="application/rss+xml" href="https://devzone.nordicsemi.com/f/nordic-q-a/128640/cve-2026-10646-mitigation-in-sdk-3-4-0" /><item><title>RE: CVE-2026-10646 mitigation in SDK 3.4.0?</title><link>https://devzone.nordicsemi.com/thread/568821?ContentTypeID=1</link><pubDate>Mon, 06 Jul 2026 13:33:10 GMT</pubDate><guid isPermaLink="false">137ad170-7792-4731-bb38-c0d22fbe4515:85b60024-ce6c-41c1-953c-fe37b1678634</guid><dc:creator>Amanda Hsieh</dc:creator><description>&lt;p&gt;Hi &lt;span&gt;Alejandro&lt;/span&gt;,&amp;nbsp;&lt;/p&gt;
&lt;p&gt;&lt;span&gt;The fix is not yet present in NCS v3.4.0. It should be included in NCS v3.4.1.&lt;/span&gt;&lt;/p&gt;
[quote user=""]In the case that there are no plans to release this patch in the short term, is it possible to force the project to point to a given version of the Zephyr repository, or will it collide with any internal SDK / toolchain check? We use the nRF extensions for VS Code, and very seldom execute raw &amp;#39;west&amp;#39; commands.[/quote]
&lt;p&gt;&lt;span&gt;This won&amp;#39;t work. NCS cannot work with upstream Zephyr directly, as our fork (sdk-zephyr) has some out-of-tree patches. The only short-term solution I see is to cherry-pick the commit with the fix manually to the local sdk-zephyr instance. Here is the&amp;nbsp;PR for sdk-zephyr (towards ncs-v3.4-branch):&amp;nbsp;&lt;a title="https://github.com/nrfconnect/sdk-zephyr/pull/4266" href="https://github.com/nrfconnect/sdk-zephyr/pull/4266" rel="noopener noreferrer" target="_blank"&gt;net: Cherry-pick bugfixes from upstream by rlubos · Pull Request #4266 · nrfconnect/sdk-zephyr&lt;/a&gt;&lt;/span&gt;&lt;/p&gt;
&lt;p&gt;&lt;span&gt;Regards,&lt;br /&gt;Amanda H.&amp;nbsp;&lt;/span&gt;&lt;/p&gt;&lt;div style="clear:both;"&gt;&lt;/div&gt;</description></item></channel></rss>