Skip to main content

Zephyr RTOS CVE-2026-10635

| EUVDEUVD-2026-37036 MEDIUM
Use After Free (CWE-416)
2026-06-16 zephyr
6.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
6.3 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
vuln.today AI
6.3 MEDIUM

Local vector and PR:H confirmed by description; page-table corruption yields I:H and A:H; C:L reflects partial isolation bypass risk.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 06:24 vuln.today
Analysis Generated
Jun 16, 2026 - 06:24 vuln.today

DescriptionNVD

On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa_domain_list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch_mem_map()/arch_mem_unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k_mem_domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2_page_table_map writes l1_table[...] and l2_table[...], and xtensa_mmu_compute_domain_regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k_mem_domain_deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys_slist_find_and_remove() in arch_mem_domain_deinit(). The Xtensa MPU path is unaffected.

AnalysisAI

Use-after-free in Zephyr RTOS v4.4.0 on Xtensa/MMU targets allows privileged kernel code to corrupt page tables or trigger a fatal MMU exception by destroying a memory domain without unlinking it from the global xtensa_domain_list. The dangling list node persists after arch_mem_domain_deinit() sets domain->arch.ptables to NULL, so any subsequent arch_mem_map() or arch_mem_unmap() call traverses the stale entry and dereferences the freed pointer - producing at minimum a denial-of-service kernel crash (NULL pointer deref) and at worst page-table memory corruption that undermines userspace process isolation. No public exploit code exists and no CISA KEV listing is present; however the integrity and availability impact (I:H, A:H) in a real-time OS kernel elevates practical severity beyond the 6.3 base score for affected embedded deployments.

Technical ContextAI

The vulnerable code resides in arch/xtensa/core/ptables.c within the Zephyr RTOS kernel, specifically the arch_mem_domain_deinit() function active only when both CONFIG_USERSPACE and CONFIG_XTENSA_MMU Kconfig options are enabled. Zephyr's Xtensa MMU port maintains a singly-linked list (xtensa_domain_list) of all active struct k_mem_domain objects, with the list node embedded directly inside each domain struct (domain->arch.node). CWE-416 (Use After Free) applies because domain_deinit tears down the L1/L2 page table structures and nullifies domain->arch.ptables but omits the mandatory sys_slist_find_and_remove() call to unlink the node from xtensa_domain_list. The result is a dangling list pointer into caller-owned (potentially freed or reused) storage. Downstream traversal functions l2_page_table_map and xtensa_mmu_compute_domain_regs both write through the stale ptables pointer - into L1 and L2 page table entries - creating exploitable memory corruption. The Xtensa MPU code path uses a different mechanism and is unaffected. CPE: cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*.

RemediationAI

The upstream fix is available as commit 33d43d09337119fc6084b4ab545f9267839973f6 in the Zephyr main branch (https://github.com/zephyrproject-rtos/zephyr/commit/33d43d09337119fc6084b4ab545f9267839973f6); it adds a single sys_slist_find_and_remove() call in arch_mem_domain_deinit() to properly unlink the domain node before teardown. A stable patched release version has not been independently confirmed from the available data - maintainers should verify whether a v4.4.1 or backport tag has been published via the GitHub advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-39v7-cx8j-gq82. For deployments that cannot apply the patch immediately, the most direct compensating control is to disable CONFIG_XTENSA_MMU and fall back to the MPU path if the target hardware supports it; however this may reduce memory protection granularity. Alternatively, audit all call sites of k_mem_domain_deinit() in the application firmware and eliminate or defer domain destruction so that stale entries never appear in xtensa_domain_list during active mapping operations - this constrains design flexibility but eliminates the vulnerable path without rebuilding firmware. Disabling CONFIG_USERSPACE entirely removes the feature but also eliminates userspace thread isolation entirely, which is an unacceptable trade-off for most security-conscious deployments.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy