Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
I:L added over vendor I:N because CONFIG_NET_STATISTICS_PER_INTERFACE enables attacker-influenced write through stale pointer; AC:H retained for non-deterministic race in default TX-queue configurations.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data - net_if_tx) unreferences and may free the packet back to its memory slab before returning - synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.
AnalysisAI
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the networking stack and potentially corrupt memory by sending a standard ICMPv6 Echo Request or any IPv6 packet that elicits an ICMPv6 error response. Both icmpv6_handle_echo_request() and net_icmpv6_send_error() call net_pkt_iface() on a packet after transferring it to net_try_send_data(), which may synchronously or asynchronously free the packet's memory slab before the statistics update executes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must run Zephyr RTOS v4.2.0-v4.4.0 compiled with `CONFIG_NET_NATIVE_IPV6=y`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) captures network reachability and unauthenticated access, but AC:H reflects a race condition that is not uniformly applicable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to a Zephyr-based embedded device's IPv6 address sends a standard ICMPv6 Echo Request (ping6); on a device with no TX queue (`CONFIG_NET_TC_TX_COUNT == 0`), the Zephyr ICMPv6 handler constructs a reply, passes the original packet to `net_try_send_data()`, and the memory slab is freed synchronously before control returns to the statistics update code, which then dereferences the freed `net_pkt`. If `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stale `net_if *` pointer is written through, potentially corrupting adjacent memory structures and crashing the network stack or enabling further exploitation. … |
| Remediation | Apply upstream fix commit `09c8578c66b517c5165cde53332ed5d8d8ef2cfc` from the Zephyr project repository (https://github.com/zephyrproject-rtos/zephyr/commit/09c8578c66b517c5165cde53332ed5d8d8ef2cfc), which caches the `net_if *iface` pointer before invoking `net_try_send_data()` in both `icmpv6_handle_echo_request()` and `net_icmpv6_send_error()`, ensuring all subsequent statistics updates use the pre-captured pointer rather than re-dereferencing the potentially freed packet. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacen
CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, all
Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspac
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not chec
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of s
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. Rated high severity
Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve
Out-of-bounds write in Zephyr RTOS Bluetooth host stack allows an adjacent unauthenticated BLE peer to corrupt heap memo
Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet re
Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() i
Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memor
Same weakness CWE-416 – Use After Free
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37115
GHSA-wqjx-hrch-347f