Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.
AnalysisAI
Null pointer dereference in Zephyr RTOS TCP stack during connection teardown allows authenticated remote attackers to cause denial of service. A race condition in tcp_recv() processing of SYN packets causes tcp_conn_search() to return NULL on a released connection, which is then dereferenced without validation in tcp_backlog_is_full(), resulting in a crash. The vulnerability requires low-privilege authentication and is moderately complex to trigger due to timing constraints (AC:H), but results in high availability impact.
Technical ContextAI
Zephyr RTOS implements a TCP/IP stack that manages connection lifecycle through connection object pointers stored in context structures. The vulnerability stems from CWE-476 (Null Pointer Dereference) in the connection teardown path: during SYN packet processing, if a connection has been concurrently released, tcp_conn_search() correctly returns NULL to indicate the connection no longer exists. However, the calling function tcp_recv() does not validate this NULL return before passing the dereferenced pointer to tcp_backlog_is_full(). The race condition window opens between connection release and subsequent SYN packet arrival, allowing stale context pointers to be used. This affects all Zephyr versions implementing the vulnerable TCP connection management logic.
RemediationAI
Update Zephyr RTOS to the patched version released by the Zephyr project. The exact patched version number should be obtained from the Zephyr GitHub security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vqm-pw24-g9jp. The fix adds null-pointer validation in tcp_recv() before dereferencing the connection pointer returned by tcp_conn_search(), ensuring that NULL returns are handled safely rather than passed to tcp_backlog_is_full(). For systems unable to update immediately, restrict authenticated network access to TCP services on affected Zephyr devices where possible, or isolate devices to trusted networks only. Validate that your Zephyr build includes TCP stack updates when patching.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19028