Skip to main content

Zephyr RTOS CVE-2026-10671

| EUVDEUVD-2026-43698 HIGH
Expired Pointer Dereference (CWE-825)
2026-07-14 zephyr
7.1
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
7.1 HIGH

Local user-thread foothold with a pipe permission grant gives PR:L/AV:L/AC:L; kernel-memory corruption and blocked threads give I:H/A:H with no disclosure (C:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 14, 2026 - 15:37 vuln.today
Analysis Generated
Jul 14, 2026 - 15:37 vuln.today
CVE Published
Jul 14, 2026 - 15:02 cve.org
HIGH 7.1

DescriptionCVE.org

In Zephyr's kernel pipe implementation, the userspace syscall verifier z_vrfy_k_pipe_init() in kernel/pipe.c used K_SYSCALL_OBJ() (which requires the kernel object to already be initialized) instead of K_SYSCALL_OBJ_NEVER_INIT() (which rejects an already-initialized object). As a result, on CONFIG_USERSPACE builds an unprivileged user thread that has been granted access to a k_pipe object can invoke the k_pipe_init syscall to re-initialize a pipe that is already in use.

z_impl_k_pipe_init() unconditionally resets the ring buffer, sets pipe->waiting to 0, and re-initializes both wait queues (z_waitq_init on pipe->data and pipe->space) without waking or accounting for threads currently blocked on the pipe. Any thread already pended in k_pipe_read()/k_pipe_write() is left orphaned: still marked pending with pended_on pointing at the cleared wait queue and with stale qnode_dlist links into the (now re-initialized) embedded list head.

When such an orphaned waiter is later timed out or woken, the scheduler calls sys_dlist_remove() on its stale node, writing through dangling prev/next pointers into kernel wait-queue/scheduler structures, causing list corruption (an attacker-driven invalid kernel write), lost wakeups, indefinitely blocked threads, and silent data loss. The flaw lets a deprivileged user thread corrupt the state of a kernel object shared with other threads/partitions.

The fix switches the verifier to K_SYSCALL_OBJ_NEVER_INIT(), matching the existing k_msgq_init verifier, so a user thread can no longer re-initialize a live pipe. The vulnerable code shipped in v4.1.0 and remained through v4.4.0.

AnalysisAI

Kernel object corruption in Zephyr RTOS (v4.1.0 through v4.4.0) lets a deprivileged user thread on CONFIG_USERSPACE builds re-initialize a live k_pipe to which it has been granted access, orphaning threads already blocked on that pipe. Because z_impl_k_pipe_init() unconditionally resets the ring buffer and wait queues without accounting for pended waiters, a subsequent timeout or wake drives sys_dlist_remove() through dangling pointers, producing an attacker-influenced invalid kernel write, list corruption, lost wakeups, and silent data loss. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain unprivileged user-thread foothold
Delivery
Hold granted access to live k_pipe
Exploit
Call k_pipe_init syscall to re-init pipe
Install
Orphan threads pended on pipe
C2
Waiter times out or is woken
Execute
sys_dlist_remove writes through stale pointers
Impact
Kernel list corruption and lost wakeups

Vulnerability AssessmentAI

Exploitation Exploitation requires a Zephyr build compiled with CONFIG_USERSPACE, an attacker-controlled unprivileged user thread, and that thread having been explicitly granted access permission to a k_pipe kernel object that is actively shared and in use by other threads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 with vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating a local, low-complexity attack requiring only low privileges and no user interaction, with high integrity and availability impact but no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a CONFIG_USERSPACE Zephyr firmware image where an unprivileged partition has been granted access to a k_pipe shared with a higher-trust thread, a compromised or malicious user thread invokes the k_pipe_init syscall a second time on that in-use pipe while another thread is blocked in k_pipe_read()/k_pipe_write(). When the orphaned waiter is later timed out or woken, the scheduler dereferences its stale list node and writes through dangling pointers into kernel structures, corrupting wait-queue/scheduler state. …
Remediation Apply the upstream fix that switches the z_vrfy_k_pipe_init() verifier from K_SYSCALL_OBJ() to K_SYSCALL_OBJ_NEVER_INIT(), delivered in commit https://github.com/zephyrproject-rtos/zephyr/commit/4424aa681e0b80e9cbd0ae27a987d582be88cb74 and described in advisory https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p8w8-3x99-mg8f; an upstream fix (commit) is available but a specific tagged patched release version was not independently confirmed from the provided data, so integrators should rebuild from a Zephyr tree containing this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all systems running Zephyr RTOS versions 4.1.0 through 4.4.0 with CONFIG_USERSPACE enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10671 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy