Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
The trigger is a non-attacker-controlled timing race, so AV:L and AC:H; no privileges or user interaction are needed to reach the code path, but memory corruption yields full C/I/A impact.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionNVD
The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, if (--buf->ref > 0), if (--(*ref_count))). The API is documented as self-synchronizing: callers may share one buffer across threads (e.g. via k_fifo) and each holder independently calls net_buf_unref() with no surrounding lock. Under true concurrency (SMP, or single-core preemption between the non-atomic load and store while another context unrefs the same buffer), two holders can both observe the same prior reference value and both conclude they are the last reference. For heap/variable-data pools (mem_pool_data_unref/heap_data_unref, used by zbus message subscribers, the IP stack RX/TX buffers when CONFIG_NET_BUF_FIXED_DATA_SIZE=n, capture, wireguard, ISO-TP and usbip) this produces a double k_heap_free()/k_free() of the same block -- heap-metadata corruption and a use-after-free on the heap-hardening poison pattern. For the per-header refcount the buffer is returned to the pool free LIFO twice for any pool type (including fixed-data pools used by Bluetooth and networking), corrupting the free list so a later allocation hands the same buffer to two owners. The fix converts both refcounts to atomic_inc/atomic_dec (overlaying buf->ref in an atomic_t-sized union and changing the data-block refcount from uint8_t to atomic_t). Impact is gated on genuine concurrency and on an application architecture that shares one buffer among multiple independent unref'ers; the trigger is a refcount/timing race rather than packet content, so an external attacker has at most weak indirect influence over the race window. Affects all Zephyr releases through v4.4.0.
AnalysisAI
Non-atomic reference-count manipulation in the Zephyr RTOS net_buf library (lib/net_buf/buf.c) allows a double-free/use-after-free when a single buffer is shared and independently unref'd across concurrent contexts. Because buf->ref and the per-data-block ref_count were incremented/decremented with plain C operators despite the API being documented as self-synchronizing, two holders racing net_buf_unref() under SMP or single-core preemption can each conclude they hold the last reference, causing a double k_heap_free()/k_free() (heap-metadata corruption and UAF on heap-hardening poison) for heap/variable-data pools, or a double return to the pool free list for any pool type. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete prerequisites drawn from the description: (1) genuine concurrency - either a CONFIG_SMP build with buffer holders on different CPUs, or a single-core build where preemption lands between the non-atomic refcount load and store while another context unrefs the same buffer; and (2) an application architecture that shares one net_buf among multiple independent unref'ers (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine memory-safety defect but a lower operational priority than its 8.1 base score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On an SMP-enabled Zephyr device, two threads each hold a reference to the same net_buf received via k_fifo (for example a zbus message delivered to multiple subscribers); both call net_buf_unref() at nearly the same instant, read the same prior refcount, and both perform the final free, double-freeing the heap data block and corrupting heap metadata. The resulting use-after-free/heap corruption can crash the device or, with careful heap grooming, be steered toward memory disclosure or control-flow corruption. … |
| Remediation | Vendor-released patch: upgrade to Zephyr v4.5.0, which contains the fix (per EUVD the fixed version is 4.5.0); the change converts both reference counts to atomic operations in commit 9bb2878319d5f46c29ab5fe855a378d87cd75fc3 (https://github.com/zephyrproject-rtos/zephyr/commit/9bb2878319d5f46c29ab5fe855a378d87cd75fc3) and is documented in advisory GHSA-284j-5jm9-55hh (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-284j-5jm9-55hh). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems and devices running Zephyr RTOS; document version numbers and deployment scope across production and development environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-415 – Double Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40367