Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Local vector and PR:H confirmed by description; page-table corruption yields I:H and A:H; C:L reflects partial isolation bypass risk.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa_domain_list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch_mem_map()/arch_mem_unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k_mem_domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2_page_table_map writes l1_table[...] and l2_table[...], and xtensa_mmu_compute_domain_regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k_mem_domain_deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys_slist_find_and_remove() in arch_mem_domain_deinit(). The Xtensa MPU path is unaffected.
AnalysisAI
Use-after-free in Zephyr RTOS v4.4.0 on Xtensa/MMU targets allows privileged kernel code to corrupt page tables or trigger a fatal MMU exception by destroying a memory domain without unlinking it from the global xtensa_domain_list. The dangling list node persists after arch_mem_domain_deinit() sets domain->arch.ptables to NULL, so any subsequent arch_mem_map() or arch_mem_unmap() call traverses the stale entry and dereferences the freed pointer - producing at minimum a denial-of-service kernel crash (NULL pointer deref) and at worst page-table memory corruption that undermines userspace process isolation. No public exploit code exists and no CISA KEV listing is present; however the integrity and availability impact (I:H, A:H) in a real-time OS kernel elevates practical severity beyond the 6.3 base score for affected embedded deployments.
Technical ContextAI
The vulnerable code resides in arch/xtensa/core/ptables.c within the Zephyr RTOS kernel, specifically the arch_mem_domain_deinit() function active only when both CONFIG_USERSPACE and CONFIG_XTENSA_MMU Kconfig options are enabled. Zephyr's Xtensa MMU port maintains a singly-linked list (xtensa_domain_list) of all active struct k_mem_domain objects, with the list node embedded directly inside each domain struct (domain->arch.node). CWE-416 (Use After Free) applies because domain_deinit tears down the L1/L2 page table structures and nullifies domain->arch.ptables but omits the mandatory sys_slist_find_and_remove() call to unlink the node from xtensa_domain_list. The result is a dangling list pointer into caller-owned (potentially freed or reused) storage. Downstream traversal functions l2_page_table_map and xtensa_mmu_compute_domain_regs both write through the stale ptables pointer - into L1 and L2 page table entries - creating exploitable memory corruption. The Xtensa MPU code path uses a different mechanism and is unaffected. CPE: cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*.
RemediationAI
The upstream fix is available as commit 33d43d09337119fc6084b4ab545f9267839973f6 in the Zephyr main branch (https://github.com/zephyrproject-rtos/zephyr/commit/33d43d09337119fc6084b4ab545f9267839973f6); it adds a single sys_slist_find_and_remove() call in arch_mem_domain_deinit() to properly unlink the domain node before teardown. A stable patched release version has not been independently confirmed from the available data - maintainers should verify whether a v4.4.1 or backport tag has been published via the GitHub advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-39v7-cx8j-gq82. For deployments that cannot apply the patch immediately, the most direct compensating control is to disable CONFIG_XTENSA_MMU and fall back to the MPU path if the target hardware supports it; however this may reduce memory protection granularity. Alternatively, audit all call sites of k_mem_domain_deinit() in the application firmware and eliminate or defer domain destruction so that stale entries never appear in xtensa_domain_list during active mapping operations - this constrains design flexibility but eliminates the vulnerable path without rebuilding firmware. Disabling CONFIG_USERSPACE entirely removes the feature but also eliminates userspace thread isolation entirely, which is an unacceptable trade-off for most security-conscious deployments.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37036