Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
AV:N because IGMP queries arrive over the network; AC:H because reliable impact requires a race-condition timing dependency; PR:N because IGMP is unauthenticated; A:L for sporadic crash only.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input - send_igmp_report/send_igmp_v3_report - igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.
AnalysisAI
Use-after-free in Zephyr's IPv4 IGMP implementation (igmp_send(), subsys/net/ip/igmp.c) allows a remote unauthenticated attacker to trigger undefined behavior and sporadic denial-of-service crashes on devices running Zephyr v2.6.0 through v4.4.0. The flaw arises because the network packet's interface pointer is re-read via net_pkt_iface(pkt) after net_send_data() may have already released the packet's last reference, returning the slab block to the free list. No public exploit code exists and the vulnerability is not in CISA KEV; however, the remote trigger path via IGMP membership queries (224.0.0.1) requires no authentication, and the analogous IPv6 MLD path (mld_send) carries the same unpatched pattern.
Technical ContextAI
Zephyr RTOS (CPE: cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*) implements IGMP in subsys/net/ip/igmp.c. The root cause is CWE-416 (Use After Free): igmp_send() passes a net_pkt struct to net_send_data(), which may synchronously hand the packet to the L2 driver and decrement its reference count to zero in the same call stack when CONFIG_NET_TC_TX_COUNT=0 (the default immediate-transmit configuration). After net_send_data() returns, the code re-reads the interface via net_pkt_iface(pkt) - a pointer field inside the now-freed slab block. When CONFIG_NET_STATISTICS_PER_INTERFACE is enabled, the dangling interface pointer is subsequently dereferenced to increment statistics counters, constituting a write to freed memory. The fix, committed in 0223e5e3ec5ebc51e8d0328fc3e604fa43552f54, caches the interface pointer as a local variable (struct net_if *iface = net_pkt_iface(pkt)) before net_send_data() is called, eliminating the post-free dereference. The parallel IPv6 MLD implementation (subsys/net/ip/ipv6_mld.c, mld_send) contains the identical pattern and was explicitly noted as unresolved in the advisory.
RemediationAI
The vendor-released fix is available as upstream commit 0223e5e3ec5ebc51e8d0328fc3e604fa43552f54 (https://github.com/zephyrproject-rtos/zephyr/commit/0223e5e3ec5ebc51e8d0328fc3e604fa43552f54); a specific tagged release version containing this fix was not identified in the provided data - integrators should confirm the fix version via the GitHub Security Advisory GHSA-fj6q-975v-65c9. The patch is a one-line cache of the interface pointer before net_send_data() is called and should apply cleanly to affected branches. If immediate patching is not feasible, compensating controls include: (1) disabling CONFIG_NET_STATISTICS_PER_INTERFACE in the Zephyr build configuration to eliminate the secondary dangling-pointer write, which reduces impact to a read-only UAF (trade-off: loss of per-interface statistics); (2) restricting IGMP traffic at network ingress to prevent the remote trigger path via 224.0.0.1 queries using an upstream router or firewall ACL (trade-off: may break multicast group management on the local segment); (3) switching to the asynchronous TX path (CONFIG_NET_TC_TX_COUNT > 0) is explicitly contra-indicated as a mitigation - it worsens the exploitability of the controlled write variant. Integrators should also audit subsys/net/ip/ipv6_mld.c for the analogous mld_send pattern and apply a corresponding fix.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37113