Skip to main content

Zephyr RTOS EUVDEUVD-2026-37115

| CVE-2026-10638 HIGH
Use After Free (CWE-416)
2026-06-16 zephyr GHSA-wqjx-hrch-347f
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

I:L added over vendor I:N because CONFIG_NET_STATISTICS_PER_INTERFACE enables attacker-influenced write through stale pointer; AC:H retained for non-deterministic race in default TX-queue configurations.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Severity Changed
Jul 01, 2026 - 14:52 NVD
MEDIUM HIGH
CVSS changed
Jul 01, 2026 - 14:52 NVD
5.9 (MEDIUM) 7.5 (HIGH)
Source Code Evidence Fetched
Jun 16, 2026 - 15:43 vuln.today
Analysis Generated
Jun 16, 2026 - 15:43 vuln.today

DescriptionNVD

subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data - net_if_tx) unreferences and may free the packet back to its memory slab before returning - synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.

AnalysisAI

Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the networking stack and potentially corrupt memory by sending a standard ICMPv6 Echo Request or any IPv6 packet that elicits an ICMPv6 error response. Both icmpv6_handle_echo_request() and net_icmpv6_send_error() call net_pkt_iface() on a packet after transferring it to net_try_send_data(), which may synchronously or asynchronously free the packet's memory slab before the statistics update executes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attain IPv6 network reachability to Zephyr device
Delivery
Send ICMPv6 Echo Request or error-eliciting IPv6 packet
Exploit
Zephyr ICMPv6 handler transfers packet to net_try_send_data()
Execution
Packet memory slab freed before statistics update executes
Persist
net_pkt_iface() dereferences freed memory
Impact
Crash (DoS) or write through stale iface pointer corrupts memory (CONFIG_NET_STATISTICS_PER_INTERFACE)

Vulnerability AssessmentAI

Exploitation The target must run Zephyr RTOS v4.2.0-v4.4.0 compiled with `CONFIG_NET_NATIVE_IPV6=y`. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) captures network reachability and unauthenticated access, but AC:H reflects a race condition that is not uniformly applicable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to a Zephyr-based embedded device's IPv6 address sends a standard ICMPv6 Echo Request (ping6); on a device with no TX queue (`CONFIG_NET_TC_TX_COUNT == 0`), the Zephyr ICMPv6 handler constructs a reply, passes the original packet to `net_try_send_data()`, and the memory slab is freed synchronously before control returns to the statistics update code, which then dereferences the freed `net_pkt`. If `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stale `net_if *` pointer is written through, potentially corrupting adjacent memory structures and crashing the network stack or enabling further exploitation. …
Remediation Apply upstream fix commit `09c8578c66b517c5165cde53332ed5d8d8ef2cfc` from the Zephyr project repository (https://github.com/zephyrproject-rtos/zephyr/commit/09c8578c66b517c5165cde53332ed5d8d8ef2cfc), which caches the `net_if *iface` pointer before invoking `net_try_send_data()` in both `icmpv6_handle_echo_request()` and `net_icmpv6_send_error()`, ensuring all subsequent statistics updates use the pre-captured pointer rather than re-dereferencing the potentially freed packet. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2026-7656 HIGH POC
8.1 Jun 29

Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacen

CVE-2025-2962 HIGH POC
7.5 Jun 24

CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, all

CVE-2026-10643 HIGH
8.7 Jun 27

Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspac

CVE-2025-1675 HIGH
8.2 Feb 25

The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not chec

CVE-2025-1673 HIGH
8.2 Feb 25

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of s

CVE-2025-1674 HIGH
8.2 Feb 25

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. Rated high severity

CVE-2026-8023 HIGH
7.5 Jun 29

Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve

CVE-2026-5068 HIGH
7.6 Jun 09

Out-of-bounds write in Zephyr RTOS Bluetooth host stack allows an adjacent unauthenticated BLE peer to corrupt heap memo

CVE-2026-13351 HIGH
7.5 Jun 25

Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet re

CVE-2026-10646 HIGH
7.4 Jun 28

Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() i

CVE-2026-1679 HIGH
7.3 Mar 28

Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memor

Share

EUVD-2026-37115 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy