Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Reachable unauthenticated only on the local link (AV:A, PR:N) and reliably triggerable (AC:L); dominant availability crash (A:H) with only a race-dependent stray write giving low integrity impact (I:L) and no confidentiality impact.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
7DescriptionNVD
subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.
AnalysisAI
Remotely triggerable denial of service in the Zephyr RTOS networking stack (versions 1.12.0 through 4.4.x) arises from a use-after-free in the IPv6 MLD code path, where mld_send() reads net_pkt_iface(pkt) after net_send_data() has already transferred packet ownership and the L2 driver freed it back to its memory slab. An unauthenticated attacker on the local link can elicit the vulnerable path by sending a crafted MLDv2 General Query, causing a NULL-pointer dereference crash or, in a narrow race, memory corruption via a stray statistics increment. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and the issue is not in CISA KEV; a vendor patch is available.
Technical ContextAI
Zephyr is a small-footprint real-time operating system for resource-constrained embedded and IoT devices, including its own IPv6/ICMPv6 networking stack. The root cause is CWE-416 (Use After Free): the network stack enforces an ownership contract (documented in include/zephyr/net/net_core.h and warned about explicitly at subsys/net/ip/net_core.c:453-460, 'do not use pkt after that call') whereby a successful net_send_data() hands the net_pkt to the L2 driver, which unrefs and returns it to its k_mem_slab (e.g. ethernet_send() at subsys/net/l2/ethernet/ethernet.c:790). In subsys/net/ip/ipv6_mld.c, mld_send() nonetheless calls net_pkt_iface(pkt) on the already-freed packet and passes the recovered interface pointer into the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot has been concurrently reallocated, the interface field can read back as NULL (crash) or as a stale/garbage pointer (out-of-bounds increment write / corruption). The affected product per CPE is cpe:2.3:a:zephyrproject:zephyr:*. The IPv4/IGMP sibling igmp_send() already used the safe pattern of caching the interface before sending.
RemediationAI
Vendor-released patch: upgrade to Zephyr 4.5.0, which fixes the flaw by caching the interface in a local variable (__maybe_unused struct net_if *iface = net_pkt_iface(pkt)) before net_send_data() and no longer touching the packet afterward, per commit 3159c53e8e7d233c2a85a0798cf25ac441db6dae and advisory GHSA-m23w-34pp-4h92. For devices that cannot be updated immediately, the most direct compensating control is to disable CONFIG_NET_STATISTICS_PER_INTERFACE in the build, which removes the vulnerable statistics dereference entirely at the cost of losing per-interface network counters; alternatively, where IPv6 multicast is not required, disabling IPv6 MLD support removes reachability of handle_mld_query()/mld_send() but breaks IPv6 multicast group management. At the network layer, restrict or filter link-local MLDv2 General Queries to trusted routers and segment vulnerable devices onto isolated L2 domains so untrusted hosts cannot reach them on the local link; note this only mitigates the adjacent-network exposure and does not remove the code defect. Because the patch is a small, well-understood localized change already proven in the IGMP sibling, upgrading is strongly preferred over workarounds.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37114