Skip to main content

Zephyr RTOS CVE-2026-10637

| EUVDEUVD-2026-37114 HIGH
Use After Free (CWE-416)
2026-06-16 zephyr
7.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Reachable unauthenticated only on the local link (AV:A, PR:N) and reliably triggerable (AC:L); dominant availability crash (A:H) with only a race-dependent stray write giving low integrity impact (I:L) and no confidentiality impact.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 01, 2026 - 14:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 01, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 14:22 vuln.today
cvss_changed
Severity Changed
Jul 01, 2026 - 14:22 NVD
MEDIUM HIGH
CVSS changed
Jul 01, 2026 - 14:22 NVD
5.9 (MEDIUM) 7.1 (HIGH)
Source Code Evidence Fetched
Jun 16, 2026 - 15:44 vuln.today
Analysis Generated
Jun 16, 2026 - 15:44 vuln.today

DescriptionNVD

subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.

AnalysisAI

Remotely triggerable denial of service in the Zephyr RTOS networking stack (versions 1.12.0 through 4.4.x) arises from a use-after-free in the IPv6 MLD code path, where mld_send() reads net_pkt_iface(pkt) after net_send_data() has already transferred packet ownership and the L2 driver freed it back to its memory slab. An unauthenticated attacker on the local link can elicit the vulnerable path by sending a crafted MLDv2 General Query, causing a NULL-pointer dereference crash or, in a narrow race, memory corruption via a stray statistics increment. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and the issue is not in CISA KEV; a vendor patch is available.

Technical ContextAI

Zephyr is a small-footprint real-time operating system for resource-constrained embedded and IoT devices, including its own IPv6/ICMPv6 networking stack. The root cause is CWE-416 (Use After Free): the network stack enforces an ownership contract (documented in include/zephyr/net/net_core.h and warned about explicitly at subsys/net/ip/net_core.c:453-460, 'do not use pkt after that call') whereby a successful net_send_data() hands the net_pkt to the L2 driver, which unrefs and returns it to its k_mem_slab (e.g. ethernet_send() at subsys/net/l2/ethernet/ethernet.c:790). In subsys/net/ip/ipv6_mld.c, mld_send() nonetheless calls net_pkt_iface(pkt) on the already-freed packet and passes the recovered interface pointer into the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot has been concurrently reallocated, the interface field can read back as NULL (crash) or as a stale/garbage pointer (out-of-bounds increment write / corruption). The affected product per CPE is cpe:2.3:a:zephyrproject:zephyr:*. The IPv4/IGMP sibling igmp_send() already used the safe pattern of caching the interface before sending.

RemediationAI

Vendor-released patch: upgrade to Zephyr 4.5.0, which fixes the flaw by caching the interface in a local variable (__maybe_unused struct net_if *iface = net_pkt_iface(pkt)) before net_send_data() and no longer touching the packet afterward, per commit 3159c53e8e7d233c2a85a0798cf25ac441db6dae and advisory GHSA-m23w-34pp-4h92. For devices that cannot be updated immediately, the most direct compensating control is to disable CONFIG_NET_STATISTICS_PER_INTERFACE in the build, which removes the vulnerable statistics dereference entirely at the cost of losing per-interface network counters; alternatively, where IPv6 multicast is not required, disabling IPv6 MLD support removes reachability of handle_mld_query()/mld_send() but breaks IPv6 multicast group management. At the network layer, restrict or filter link-local MLDv2 General Queries to trusted routers and segment vulnerable devices onto isolated L2 domains so untrusted hosts cannot reach them on the local link; note this only mitigates the adjacent-network exposure and does not remove the code defect. Because the patch is a small, well-understood localized change already proven in the IGMP sibling, upgrading is strongly preferred over workarounds.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10637 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy