Skip to main content

Zephyr RTOS EUVDEUVD-2026-37117

| CVE-2026-10640 HIGH
Use After Free (CWE-416)
2026-06-16 zephyr
7.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

On-link unauthenticated trigger via ICMPv6 (AV:A/PR:N/UI:N); primary impact is crash/DoS (A:H) with only marginal integrity from stat corruption (I:L) and no confidentiality (C:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 26, 2026 - 20:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 20:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 20:52 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 20:52 NVD
MEDIUM HIGH
CVSS changed
Jun 26, 2026 - 20:52 NVD
4.2 (MEDIUM) 7.1 (HIGH)
Source Code Evidence Fetched
Jun 16, 2026 - 15:41 vuln.today
Analysis Generated
Jun 16, 2026 - 15:41 vuln.today

DescriptionNVD

Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet_send - net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise).

The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption.

The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input - net_ipv6_send_na).

Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.

AnalysisAI

Denial of service (and potential limited memory corruption) in the Zephyr RTOS IPv6 networking stack (versions 3.3.0 through 4.4.0) stems from a use-after-free in the IPv6 Neighbor Discovery send paths, where per-interface ICMP statistics are updated by reading from a network packet after the stack has already freed it. Any unauthenticated on-link node can trigger the Neighbor Advertisement path simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 and CONFIG_NET_STATISTICS_PER_INTERFACE enabled, causing a freed slab block to be dereferenced. There is no public exploit identified at time of analysis and EPSS is low (0.14%, 4th percentile); a vendor patch is available, and impact is largely limited to crashes/DoS with only theoretical limited memory corruption.

Technical ContextAI

The affected component is Zephyr's IPv6 Neighbor Discovery implementation in subsys/net/ip/ipv6_nbr.c, specifically net_ipv6_send_na, net_ipv6_send_ns, and net_ipv6_send_rs. Zephyr manages network packets (net_pkt) using reference-counted slab-allocated blocks; on a successful net_send_data() call, the L2/driver send path (e.g. ethernet_send) owns and releases the packet's final reference via net_pkt_unref, freeing the slab block. The root cause (CWE-416, Use After Free) is that the statistics line called net_pkt_iface(pkt) after net_send_data() returned, reading the pkt->iface field from a slab block whose refcount may already have dropped to zero and been freed - synchronously when no dedicated TX queue thread is configured, or via a race with a concurrent TX thread otherwise. When CONFIG_NET_STATISTICS_PER_INTERFACE is enabled, that stale pointer is dereferenced to increment iface->stats.icmp.sent. The CPE cpe:2.3:a:zephyrproject:zephyr identifies the affected product. The fix is trivial and correct: use the already-available iface function argument instead of re-deriving it from the sent packet.

RemediationAI

Upgrade to Zephyr 4.5.0 or later, which incorporates the upstream fix (commit aaed8332a62b0490a2f3c2cbabe272f575068eaa) that replaces net_pkt_iface(pkt) with the already-available iface argument in net_ipv6_send_na, net_ipv6_send_ns, and net_ipv6_send_rs; see the advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r74c-mr4m-7g9g. Because Zephyr is typically vendored into device firmware, downstream maintainers should cherry-pick the one-line-per-function commit into their pinned tree and rebuild/redeploy firmware. As a compensating control where firmware cannot be rebuilt immediately, disabling CONFIG_NET_STATISTICS_PER_INTERFACE removes the memory-safety impact (the global-counter path is not affected), at the cost of losing per-interface ICMP statistics; alternatively, restricting or filtering inbound ICMPv6 Neighbor Solicitations at the L2 segment or disabling native IPv6 where unused reduces reachability, with the trade-off of impaired IPv6 neighbor discovery functionality.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-37117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy