On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, Zephyr's page-table code maintains a global list of active memory domains using a node embedded inside the caller-owned k_mem_domain struct. When a memory domain is destroyed via k_mem_domain_deinit(), the domain's node is not removed from the global xtensa_domain_list, leaving a dangling pointer. Subsequent arch_mem_map() or arch_mem_unmap() operations traverse this stale node and dereference a NULL or stale ptables pointer, causing either a fatal MMU exception (denial of service) or use-after-free memory corruption. This can undermine userspace isolation. The vulnerable code path is only accessible from privileged kernel code, not from unprivileged or remote sources. The vulnerability was introduced in Zephyr v4.4.0 and fixed on the main branch by adding sys_slist_find_and_remove() to properly remove the node during domain deinitialization. The Xtensa MPU path is unaffected.

This vulnerability can cause denial of service via a fatal MMU exception due to NULL pointer dereference or memory corruption through use-after-free during page-table operations. The memory corruption can undermine userspace isolation, potentially impacting system security. However, exploitation requires privileged kernel access, limiting the attack surface. There are no known exploits in the wild.

A fix has been applied on the main development branch of Zephyr by properly removing the stale node from the global list during memory domain deinitialization. Users should upgrade to a Zephyr version including this fix (post-4.5.0). Since the vulnerability is not reachable from unprivileged or remote code, limiting privileged code modifications and applying the official patch when available are the primary mitigations. Patch status is not yet confirmed in the provided data; check the Zephyr vendor advisory for current remediation guidance.