Skip to main content

Zephyr RTOS CVE-2026-1681

| EUVDEUVD-2026-29387 MEDIUM
Uncontrolled Recursion (CWE-674)
2026-05-12 zephyr
6.1
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Primary rating from Vendor (zephyr) · only source for this CVE.

CVSS VectorVendor: zephyr

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 06:45 vuln.today
CVE Published
May 12, 2026 - 05:39 nvd
MEDIUM 6.1

DescriptionCVE.org

Issuing an ICMP ping via the net ping shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the resulting echo reply are processed inline before the current frame returns. The nested input-path frames exceed the work-queue stack and trigger a stack overflow.

AnalysisAI

Stack overflow in Zephyr RTOS network stack allows local attackers to trigger a denial of service by issuing an ICMP ping to the device's own IPv4 address via the net ping shell command, causing recursive re-entry of the input path on the same work-queue stack and exhausting stack memory. The vulnerability requires local access and user interaction to execute the shell command, affecting systems with Zephyr network functionality enabled.

Technical ContextAI

Zephyr RTOS is an embedded operating system with a network stack implementation. The vulnerability exists in the ICMP echo request/reply processing logic within the network stack's input path. When a ping is directed to a local IPv4 address, the stack processes both the incoming echo request and the generated echo reply inline on the same execution context before the current frame returns. This recursive re-entry on a single work-queue stack violates stack depth assumptions, causing stack overflow (CWE-674: Uncontrolled Recursion). The issue is rooted in the network stack's handling of locally-destined packets, which are processed synchronously rather than queued for deferred processing.

RemediationAI

Patch or upgrade Zephyr RTOS to a version that resolves the recursive input-path issue in the ICMP echo handler - consult the GitHub Security Advisory (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-6fcc-8rwr-w7xx) for exact patched version numbers. As a workaround, disable or restrict access to the net ping shell command in production deployments by removing the network shell module or enforcing access controls to the shell interface (trade-off: loss of diagnostics capability). Alternatively, disable ICMP processing on the device if ping functionality is not required (trade-off: loss of network diagnostics and potential routing protocol impacts). Systems without local shell access or user interaction capability are not at immediate risk from this vulnerability.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-1681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy