Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable via UDP NTP suppression with no privileges; AC:H for race-condition timing; A:H for networking thread crash; I:L for speculative memory corruption on context reuse.
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the network socket service, without synchronizing with the socket-service poll thread.
The socket service thread polls each socket via zvfs_poll, which (in zsock_poll_prepare_ctx) registers a k_poll_event pointing into the socket's net_context (&ctx->recv_q) and then blocks in k_poll without holding a reference or lock. net_context objects are allocated from a fixed pool (contexts[CONFIG_NET_MAX_CONTEXTS]) and reused after close.
When sntp_close_async is invoked from a different thread than the poll thread (in the in-tree consumer subsys/net/lib/config/init_clock_sntp.c, the SNTP timeout handler runs on the system workqueue while the socket service thread is blocked in poll on the same fd), the close frees and may reuse the net_context while the poll thread still has a poller node linked into the freed object, resulting in a use-after-free / object confusion of kernel poll structures.
The SNTP timeout path is the normal no-response failure mode, so a network peer or off-path attacker who drops or delays the SNTP/NTP response can drive the racing close repeatedly (and periodically with NET_CONFIG_SNTP_INIT_RESYNC). The most likely consequence is a crash of the networking thread (denial of service), with potential memory corruption when the freed context slot is reallocated.
The fix defers the close to the socket service thread itself via net_socket_service_close (NET_SOCKET_SERVICE_CLOSE_SOCKETS), so the same thread that polls performs the close, eliminating the race. Affected releases: v4.2.0 through v4.4.0.
AnalysisAI
Use-after-free in Zephyr's asynchronous SNTP client (sntp_close_async, v4.2.0-v4.4.0) can be triggered remotely by any network peer or off-path attacker capable of dropping or delaying UDP NTP responses, exploiting a race between the system workqueue thread and the socket-service poll thread. The most probable outcome is a crash of the networking subsystem thread (denial of service); where the freed net_context pool slot is rapidly reallocated, memory corruption is possible. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable code path is reached only when the Zephyr SNTP client is compiled in and active (subsys/net/lib/config/init_clock_sntp.c with CONFIG_NET_CONFIG_CLOCK_SNTP_INIT enabled). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H) correctly captures the principal risk signals: the attack is network-reachable with no required privileges or user interaction, but the High Attack Complexity (AC:H) reflects the race-condition timing requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned on the network path between the Zephyr device and its configured NTP server - or controlling a rogue NTP server - drops or never responds to SNTP UDP packets. After the SNTP timeout expires, the system workqueue invokes sntp_close_async concurrently with the socket-service poll thread blocking in k_poll on the same socket, triggering the use-after-free race; repeated periodic resyncs (NET_CONFIG_SNTP_INIT_RESYNC) give the attacker recurring exploitation windows. … |
| Remediation | Upstream fix available via GitHub commit ef47bdf328b4206ac3b3922ec09184f7a6f7412a in the zephyr-project-rtos/zephyr repository; a tagged patched release version has not been independently confirmed from the available references - consumers should verify with the vendor advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-34wr-cg29-c4mw. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40370