Skip to main content

Zephyr CVE-2026-5590

| EUVDEUVD-2026-19028 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-05 zephyr
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
CVSS changed
Jul 08, 2026 - 13:52 NVD
6.4 (MEDIUM) 5.3 (MEDIUM)
EUVD ID Assigned
Apr 05, 2026 - 04:00 euvd
EUVD-2026-19028
Analysis Generated
Apr 05, 2026 - 04:00 vuln.today
CVE Published
Apr 05, 2026 - 03:34 nvd
MEDIUM 6.4

DescriptionNVD

A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.

AnalysisAI

Null pointer dereference in Zephyr RTOS TCP stack during connection teardown allows authenticated remote attackers to cause denial of service. A race condition in tcp_recv() processing of SYN packets causes tcp_conn_search() to return NULL on a released connection, which is then dereferenced without validation in tcp_backlog_is_full(), resulting in a crash. The vulnerability requires low-privilege authentication and is moderately complex to trigger due to timing constraints (AC:H), but results in high availability impact.

Technical ContextAI

Zephyr RTOS implements a TCP/IP stack that manages connection lifecycle through connection object pointers stored in context structures. The vulnerability stems from CWE-476 (Null Pointer Dereference) in the connection teardown path: during SYN packet processing, if a connection has been concurrently released, tcp_conn_search() correctly returns NULL to indicate the connection no longer exists. However, the calling function tcp_recv() does not validate this NULL return before passing the dereferenced pointer to tcp_backlog_is_full(). The race condition window opens between connection release and subsequent SYN packet arrival, allowing stale context pointers to be used. This affects all Zephyr versions implementing the vulnerable TCP connection management logic.

RemediationAI

Update Zephyr RTOS to the patched version released by the Zephyr project. The exact patched version number should be obtained from the Zephyr GitHub security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vqm-pw24-g9jp. The fix adds null-pointer validation in tcp_recv() before dereferencing the connection pointer returned by tcp_conn_search(), ensuring that NULL returns are handled safely rather than passed to tcp_backlog_is_full(). For systems unable to update immediately, restrict authenticated network access to TCP services on affected Zephyr devices where possible, or isolate devices to trusted networks only. Validate that your Zephyr build includes TCP stack updates when patching.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-5590 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy