Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
AV:N because IGMP queries arrive over the network; AC:H because reliable impact requires a race-condition timing dependency; PR:N because IGMP is unauthenticated; A:L for sporadic crash only.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input - send_igmp_report/send_igmp_v3_report - igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.
AnalysisAI
Use-after-free in Zephyr's IPv4 IGMP implementation (igmp_send(), subsys/net/ip/igmp.c) allows a remote unauthenticated attacker to trigger undefined behavior and sporadic denial-of-service crashes on devices running Zephyr v2.6.0 through v4.4.0. The flaw arises because the network packet's interface pointer is re-read via net_pkt_iface(pkt) after net_send_data() may have already released the packet's last reference, returning the slab block to the free list. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote trigger path: IPv4 IGMP must be enabled on the target interface (the default for any Zephyr device with multicast-capable networking); an attacker must be able to send IPv4 multicast packets to 224.0.0.1 on the same network segment (IGMP is link-local by default and not routed across subnets without a multicast router). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) correctly captures this as a low-severity, high-complexity vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same IPv4 multicast domain sends a crafted IGMP General Membership Query addressed to 224.0.0.1, which causes the Zephyr network stack to invoke net_ipv4_igmp_input and then igmp_send() to generate a membership report. In the default synchronous TX configuration, net_send_data() releases the packet's last reference before returning, and the subsequent net_pkt_iface(pkt) call reads the freed slab block, producing undefined behavior that manifests as a sporadic crash or memory corruption of the statistics counters. … |
| Remediation | The vendor-released fix is available as upstream commit 0223e5e3ec5ebc51e8d0328fc3e604fa43552f54 (https://github.com/zephyrproject-rtos/zephyr/commit/0223e5e3ec5ebc51e8d0328fc3e604fa43552f54); a specific tagged release version containing this fix was not identified in the provided data - integrators should confirm the fix version via the GitHub Security Advisory GHSA-fj6q-975v-65c9. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37113