Skip to main content

Zephyr RTOS CVE-2026-10639

| EUVDEUVD-2026-37116 MEDIUM
Use After Free (CWE-416)
2026-06-16 zephyr
4.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
4.8 MEDIUM

Network-reachable via unauthenticated ICMP ping (AV:N/PR:N) but exploitation requires winning an asynchronous TX-thread timing race (AC:H); no controlled confidentiality exposure from the freed-memory read.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 15:42 vuln.today
Analysis Generated
Jun 16, 2026 - 15:42 vuln.today

DescriptionNVD

In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').

The post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.

The path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).

The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.

AnalysisAI

Use-after-free in Zephyr RTOS's ICMPv4 echo handler allows any unauthenticated remote host to trigger memory corruption or a crash by sending a standard ICMP ping to an affected device. The defect exists in all versions from v1.14 (2019) through v4.4.0, where icmpv4_handle_echo_request() reads from a freed net_pkt struct after transferring packet ownership to the TX path - violating a contract explicitly documented in net_core.c. No public exploit code exists and this CVE does not appear in CISA KEV, but the zero-privilege, network-reachable attack surface makes it a meaningful risk for internet-exposed embedded and IoT deployments running Zephyr with ICMP statistics enabled.

Technical ContextAI

The vulnerable component is Zephyr's native IPv4 networking stack (subsys/net/ip/icmpv4.c), specifically icmpv4_handle_echo_request(). CWE-416 (Use After Free) applies: net_try_send_data() transfers ownership of the allocated reply net_pkt buffer to the TX path (net_if_try_queue_txnet_if_tx → L2/driver send, or the asynchronous net_if_tx_thread), which may decrement the refcount to zero and return the struct to the kernel memory slab (net_pkt_unrefk_mem_slab_free) before the calling function exits. The original code then calls net_stats_update_icmp_sent(net_pkt_iface(reply)), dereferencing the iface field of a potentially freed - and possibly reallocated - net_pkt. With CONFIG_NET_STATISTICS_PER_INTERFACE enabled, the stats macro also writes through this stale pointer, constituting a wild-pointer write. The net_core.c documentation explicitly warns: 'the pkt might contain garbage already ... do not use pkt after that call', making this a violation of an established internal API contract. CPE cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:* confirms the wildcard version range tracked by NVD, consistent with the v1.14-v4.4.0 window stated in the description.

RemediationAI

The upstream fix is confirmed in commit 86e21665d4641f304dc3895bfb03b8f89db83291 (https://github.com/zephyrproject-rtos/zephyr/commit/86e21665d4641f304dc3895bfb03b8f89db83291), which caches the interface pointer from the live received packet (struct net_if *iface = net_pkt_iface(pkt)) before calling net_try_send_data(), then uses this cached pointer for all subsequent stats updates - eliminating the post-send dereference of the freed reply packet. A specific tagged release version containing this fix was not independently confirmable from the available data; teams should verify the commit is present in their target Zephyr branch or apply the patch directly. As a build-time compensating control where immediate patching is not feasible, disabling CONFIG_NET_STATISTICS_ICMP removes the vulnerable stats-update code path entirely, at the cost of losing ICMP statistics visibility. Blocking inbound ICMP echo requests at the network perimeter (firewall or router ACL) prevents the vulnerable handler from being triggered remotely, with the trade-off of eliminating ping-based reachability monitoring. Vendor advisory: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qhrf-w466-qmpw.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10639 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy