Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
On-link unauthenticated trigger via ICMPv6 (AV:A/PR:N/UI:N); primary impact is crash/DoS (A:H) with only marginal integrity from stat corruption (I:L) and no confidentiality (C:N).
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
7DescriptionNVD
Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet_send - net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise).
The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption.
The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input - net_ipv6_send_na).
Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.
AnalysisAI
Denial of service (and potential limited memory corruption) in the Zephyr RTOS IPv6 networking stack (versions 3.3.0 through 4.4.0) stems from a use-after-free in the IPv6 Neighbor Discovery send paths, where per-interface ICMP statistics are updated by reading from a network packet after the stack has already freed it. Any unauthenticated on-link node can trigger the Neighbor Advertisement path simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 and CONFIG_NET_STATISTICS_PER_INTERFACE enabled, causing a freed slab block to be dereferenced. There is no public exploit identified at time of analysis and EPSS is low (0.14%, 4th percentile); a vendor patch is available, and impact is largely limited to crashes/DoS with only theoretical limited memory corruption.
Technical ContextAI
The affected component is Zephyr's IPv6 Neighbor Discovery implementation in subsys/net/ip/ipv6_nbr.c, specifically net_ipv6_send_na, net_ipv6_send_ns, and net_ipv6_send_rs. Zephyr manages network packets (net_pkt) using reference-counted slab-allocated blocks; on a successful net_send_data() call, the L2/driver send path (e.g. ethernet_send) owns and releases the packet's final reference via net_pkt_unref, freeing the slab block. The root cause (CWE-416, Use After Free) is that the statistics line called net_pkt_iface(pkt) after net_send_data() returned, reading the pkt->iface field from a slab block whose refcount may already have dropped to zero and been freed - synchronously when no dedicated TX queue thread is configured, or via a race with a concurrent TX thread otherwise. When CONFIG_NET_STATISTICS_PER_INTERFACE is enabled, that stale pointer is dereferenced to increment iface->stats.icmp.sent. The CPE cpe:2.3:a:zephyrproject:zephyr identifies the affected product. The fix is trivial and correct: use the already-available iface function argument instead of re-deriving it from the sent packet.
RemediationAI
Upgrade to Zephyr 4.5.0 or later, which incorporates the upstream fix (commit aaed8332a62b0490a2f3c2cbabe272f575068eaa) that replaces net_pkt_iface(pkt) with the already-available iface argument in net_ipv6_send_na, net_ipv6_send_ns, and net_ipv6_send_rs; see the advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r74c-mr4m-7g9g. Because Zephyr is typically vendored into device firmware, downstream maintainers should cherry-pick the one-line-per-function commit into their pinned tree and rebuild/redeploy firmware. As a compensating control where firmware cannot be rebuilt immediately, disabling CONFIG_NET_STATISTICS_PER_INTERFACE removes the memory-safety impact (the global-counter path is not affected), at the cost of losing per-interface ICMP statistics; alternatively, restricting or filtering inbound ICMPv6 Neighbor Solicitations at the L2 segment or disabling native IPv6 where unused reduces reachability, with the trade-off of impaired IPv6 neighbor discovery functionality.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37117