Skip to main content

Zephyr RTOS CVE-2026-10634

| EUVDEUVD-2026-36727 MEDIUM
Use After Free (CWE-416)
2026-06-15 zephyr
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.4 MEDIUM

Adjacent vector and high complexity confirmed by race condition; PR:L for shell requirement; C:L rather than C:N because description explicitly identifies information disclosure via slab reuse as a realistic outcome.

3.1 AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:A/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
CVSS changed
Jul 01, 2026 - 14:07 NVD
4.8 (MEDIUM) 5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 15, 2026 - 16:31 vuln.today
Analysis Generated
Jun 15, 2026 - 16:31 vuln.today

DescriptionNVD

Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection's reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory - a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the 'net conn' network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.

AnalysisAI

Use-after-free in Zephyr RTOS's native TCP2 stack allows a concurrent connection teardown - triggered by ordinary TCP traffic from an adjacent-network peer - to invalidate a cached iterator pointer in net_tcp_foreach(), crashing the system or causing the iterator callback to operate on attacker-influenced reallocated memory. All Zephyr releases from the TCP2 stack introduction in 2020 through v4.4.0 (inclusive) are affected. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the primary real-world risk is denial of service against embedded or IoT devices with TCP networking and shell access exposed on an adjacent network segment.

Technical ContextAI

Zephyr's TCP2 stack (subsys/net/ip/tcp.c, CPE cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*) maintains a global singly-linked list of TCP connections protected by tcp_lock (a k_mutex). The function net_tcp_foreach() iterates this list using SYS_SLIST_FOR_EACH_CONTAINER_SAFE, which caches a pointer to the next list node before each iteration step. Prior to the fix, net_tcp_foreach() dropped tcp_lock before invoking the per-connection callback and reacquired it afterward, creating an unlocked window. Concurrently, tcp_conn_release() - invoked from the dedicated TCP work-queue thread when a connection's reference count reaches zero (e.g., remote FIN or RST) - unlinks the connection from the global list and calls k_mem_slab_free() on the connection object. If this teardown races against the iterator's cached 'next' pointer, the iterator advances into freed slab memory that may have been reallocated - a textbook CWE-416 (Use After Free). The commit diff confirms the fix: tcp_conn_release() now performs teardown under tcp_lock, and net_tcp_foreach() holds tcp_lock continuously across the callback, eliminating the race window.

RemediationAI

Apply the upstream fix from commit cd85e0e890ab89815c4cbc0a8fbc03a3efa84dc2 (https://github.com/zephyrproject-rtos/zephyr/commit/cd85e0e890ab89815c4cbc0a8fbc03a3efa84dc2), which restructures locking in tcp_conn_release() and net_tcp_foreach() to eliminate the race window. A specific tagged patched release version has not been independently confirmed - only the upstream commit is available at time of analysis; integrators building from the Zephyr repository should cherry-pick or rebase past this commit. Until patched, the most impactful compensating control is disabling the Zephyr network shell at build time (set CONFIG_NET_SHELL=n), which removes the 'net conn' command - one of the two confirmed entry points into net_tcp_foreach() - with no functional trade-off for production (non-diagnostic) builds. The second entry point, net_tcp_close_all_for_iface() triggered on interface-down, cannot be disabled without broader impact; restrict who can trigger interface state changes instead. Additionally, enforce strict adjacent-network segmentation (e.g., VLAN isolation, port-level access control) to limit the pool of peers able to initiate the TCP teardown side of the race. Refer to the GitHub advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-6c57-xfhw-j26x for vendor guidance.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10634 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy