Skip to main content

Zephyr RTOS EUVDEUVD-2026-37113

| CVE-2026-10636 LOW
Use After Free (CWE-416)
2026-06-16 zephyr
3.7
CVSS 3.1 · NVD

Severity by source

Vendor (zephyr) PRIMARY
LOW
qualitative
NVD
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

AV:N because IGMP queries arrive over the network; AC:H because reliable impact requires a race-condition timing dependency; PR:N because IGMP is unauthenticated; A:L for sporadic crash only.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 15:45 vuln.today
Analysis Generated
Jun 16, 2026 - 15:45 vuln.today

DescriptionNVD

In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input - send_igmp_report/send_igmp_v3_report - igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.

AnalysisAI

Use-after-free in Zephyr's IPv4 IGMP implementation (igmp_send(), subsys/net/ip/igmp.c) allows a remote unauthenticated attacker to trigger undefined behavior and sporadic denial-of-service crashes on devices running Zephyr v2.6.0 through v4.4.0. The flaw arises because the network packet's interface pointer is re-read via net_pkt_iface(pkt) after net_send_data() may have already released the packet's last reference, returning the slab block to the free list. No public exploit code exists and the vulnerability is not in CISA KEV; however, the remote trigger path via IGMP membership queries (224.0.0.1) requires no authentication, and the analogous IPv6 MLD path (mld_send) carries the same unpatched pattern.

Technical ContextAI

Zephyr RTOS (CPE: cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*) implements IGMP in subsys/net/ip/igmp.c. The root cause is CWE-416 (Use After Free): igmp_send() passes a net_pkt struct to net_send_data(), which may synchronously hand the packet to the L2 driver and decrement its reference count to zero in the same call stack when CONFIG_NET_TC_TX_COUNT=0 (the default immediate-transmit configuration). After net_send_data() returns, the code re-reads the interface via net_pkt_iface(pkt) - a pointer field inside the now-freed slab block. When CONFIG_NET_STATISTICS_PER_INTERFACE is enabled, the dangling interface pointer is subsequently dereferenced to increment statistics counters, constituting a write to freed memory. The fix, committed in 0223e5e3ec5ebc51e8d0328fc3e604fa43552f54, caches the interface pointer as a local variable (struct net_if *iface = net_pkt_iface(pkt)) before net_send_data() is called, eliminating the post-free dereference. The parallel IPv6 MLD implementation (subsys/net/ip/ipv6_mld.c, mld_send) contains the identical pattern and was explicitly noted as unresolved in the advisory.

RemediationAI

The vendor-released fix is available as upstream commit 0223e5e3ec5ebc51e8d0328fc3e604fa43552f54 (https://github.com/zephyrproject-rtos/zephyr/commit/0223e5e3ec5ebc51e8d0328fc3e604fa43552f54); a specific tagged release version containing this fix was not identified in the provided data - integrators should confirm the fix version via the GitHub Security Advisory GHSA-fj6q-975v-65c9. The patch is a one-line cache of the interface pointer before net_send_data() is called and should apply cleanly to affected branches. If immediate patching is not feasible, compensating controls include: (1) disabling CONFIG_NET_STATISTICS_PER_INTERFACE in the Zephyr build configuration to eliminate the secondary dangling-pointer write, which reduces impact to a read-only UAF (trade-off: loss of per-interface statistics); (2) restricting IGMP traffic at network ingress to prevent the remote trigger path via 224.0.0.1 queries using an upstream router or firewall ACL (trade-off: may break multicast group management on the local segment); (3) switching to the asynchronous TX path (CONFIG_NET_TC_TX_COUNT > 0) is explicitly contra-indicated as a mitigation - it worsens the exploitability of the controlled write variant. Integrators should also audit subsys/net/ip/ipv6_mld.c for the analogous mld_send pattern and apply a corresponding fix.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-37113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy