Skip to main content

Zephyr RTOS CVE-2026-10648

MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-29 zephyr
5.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.2 MEDIUM

Local vector confirmed by serial/UART/console-only attack path; PR:N because no authentication is enforced on the physical link itself; A:H for hard device fault; no confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
CVSS changed
Jul 01, 2026 - 14:07 NVD
6.2 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jun 29, 2026 - 23:31 vuln.today

DescriptionNVD

mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool (CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, default 4), which returns NULL when the pool is exhausted. In default builds the __ASSERT_NO_MSG in net_buf_reset is a no-op, so net_buf_simple_reset writes through the NULL pointer (buf->len = 0; buf->data = buf->__buf), causing a fault/crash. The fragment data reaches this code from attacker-controlled bytes on the MCUmgr serial/UART/shell-console transports (smp_uart.c, smp_raw_uart.c, smp_shell.c), and a fresh buffer is allocated at the start of essentially every new packet. An attacker on the serial/console link can flood the transport to drive the 4-entry buffer pool to exhaustion and induce the NULL dereference, crashing the device (denial of service). The defect was introduced after the original MCUmgr rework and shipped in Zephyr v4.4.0. The fix moves the NULL check ahead of net_buf_reset.

AnalysisAI

Denial of service in Zephyr RTOS v4.4.0 allows an attacker with access to a serial, UART, or shell-console interface to crash an affected embedded device by exhausting the MCUmgr shared buffer pool and triggering a NULL pointer dereference. The defect in mcumgr_serial_process_frag() (CWE-476) was introduced during the MCUmgr rework and manifests in default builds where assertion checks are compiled out, making the write-through-NULL a hard fault rather than a caught assertion. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain serial/UART or shell-console link access
Delivery
Transmit rapid SMP fragment flood
Exploit
Exhaust 4-entry MCUmgr buffer pool
Execution
smp_packet_alloc() returns NULL
Persist
net_buf_reset() writes through NULL pointer
Impact
Processor fault and device crash

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have access to the MCUmgr serial, UART, or shell-console transport link on the target device - specifically, one of the three affected transport drivers (smp_uart.c, smp_raw_uart.c, or smp_shell.c) must be compiled into the firmware. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.2 (Medium) with vector AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects the constrained attack surface: exploitation requires physical or logical presence on the serial or shell-console link, which substantially limits the attacker population compared to network-reachable vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical or logical access to a UART or shell-console port on a Zephyr v4.4.0 device rapidly sends a stream of MCUmgr SMP packet fragments, driving all four entries in the shared MCUmgr buffer pool to allocated-but-not-freed state. The next fragment allocation returns NULL, mcumgr_serial_process_frag() calls net_buf_reset() on it without checking, and the resulting NULL pointer write causes a processor exception, crashing and resetting the device. …
Remediation The upstream fix is available as commit 6f363ec6f7fd6ae9ed7ca2ae66fd9c82dce31c59 in the Zephyr project repository (https://github.com/zephyrproject-rtos/zephyr/commit/6f363ec6f7fd6ae9ed7ca2ae66fd9c82dce31c59); a patched tagged release version has not been independently confirmed from available data - project maintainers should monitor the Zephyr release channel for a version incorporating this fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10648 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy