Skip to main content

Zephyr RTOS CVE-2026-10670

| EUVDEUVD-2026-43697 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-07-14 zephyr
5.5
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Requires low-privilege local thread execution (AV:L/PR:L); kernel crash yields complete availability loss (A:H) with zero confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 15:41 vuln.today
Analysis Generated
Jul 14, 2026 - 15:41 vuln.today

DescriptionCVE.org

The CONFIG_USERSPACE verification handler for the k_thread_name_copy() system call (z_vrfy_k_thread_name_copy() in kernel/thread.c) calls k_object_find() on the caller-supplied thread pointer and then dereferences the returned struct k_object without checking it for NULL. k_object_find() returns NULL whenever the supplied pointer is not a registered (static or dynamic) kernel object.

The pre-fix guard tested thread NULL instead of ko NULL, so an unprivileged user-mode thread that invokes k_thread_name_copy() with any non-NULL but unregistered pointer (e.g. an arbitrary address) passes the NULL test, after which the verifier reads ko->type through a NULL pointer.

Because the syscall verifier runs in supervisor mode, this NULL dereference is a kernel-mode fault that halts or reboots the system, allowing untrusted user code to crash the kernel across the userspace security boundary (denial of service). The marshaller passes the thread argument to the verifier without any prior K_SYSCALL_OBJ validation, so the bad pointer reaches the defect directly.

The flaw affects builds with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled and has been present since the special-case lookup was introduced around v2.0.0; it is present in v4.4.0 and earlier. The fix changes the guard to check the k_object_find() return value (ko == NULL) before dereferencing it.

AnalysisAI

NULL pointer dereference in Zephyr RTOS's syscall verifier allows an unprivileged user-mode thread to crash the kernel across the userspace security boundary. The z_vrfy_k_thread_name_copy() verification handler in kernel/thread.c incorrectly guards against the caller-supplied thread pointer being NULL rather than the ko pointer returned by k_object_find(), so any non-NULL but unregistered address bypasses the check and triggers a supervisor-mode NULL dereference that halts or reboots the system. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privilege user-mode thread execution on device
Delivery
Invoke k_thread_name_copy() with arbitrary non-NULL unregistered address
Exploit
k_object_find() returns NULL for unregistered pointer
Execution
Pre-fix guard (thread == NULL) passes incorrectly
Persist
Supervisor-mode dereference of ko->type through NULL pointer
Impact
Kernel-mode fault halts or reboots system

Vulnerability AssessmentAI

Exploitation Two build-time Kconfig options must both be enabled: CONFIG_USERSPACE=y (compiles in the userspace boundary and syscall verifiers) and CONFIG_THREAD_NAME=y (compiles in the k_thread_name_copy() syscall and its z_vrfy_ verifier). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H with a base score of 5.5 accurately captures the risk profile: local low-privilege access is required, impact is confined to availability, and the scope is unchanged. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privilege code execution on a Zephyr device - for example, a sandboxed application thread in a multi-tenant embedded system - calls k_thread_name_copy() passing an arbitrary non-NULL but unregistered memory address as the thread argument. The pre-fix verifier passes the thread == NULL check (since the address is non-NULL), then k_object_find() returns NULL for the unregistered pointer, and the verifier dereferences ko->type through the NULL pointer in supervisor mode. …
Remediation Apply the upstream fix available in Zephyr commit 491583951036bc5794a3843a4baa246453bb1ee2 (https://github.com/zephyrproject-rtos/zephyr/commit/491583951036bc5794a3843a4baa246453bb1ee2), which corrects the NULL guard in z_vrfy_k_thread_name_copy() from checking the caller-supplied thread pointer to checking the ko pointer returned by k_object_find(). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy