In Zephyr's IPv4 IGMP implementation, the igmp_send() function reads the network interface pointer from a packet after the packet has been handed off to net_send_data(). On successful send, the packet's last reference may be released by the network stack or driver, freeing the packet memory. Subsequent dereferencing of the freed packet's interface pointer causes a use-after-free read. If CONFIG_NET_STATISTICS_PER_INTERFACE is enabled, this dangling pointer is further dereferenced for statistics updates. The vulnerability is reachable without authentication from inbound IPv4 IGMP membership queries to 224.0.0.1 and local multicast join/leave operations. The impact includes undefined behavior and potential denial of service via sporadic crashes or statistics corruption. Exploitation requiring a controllable write is complex and depends on asynchronous TX path and concurrent slab reuse. The flaw affects Zephyr versions from 2.6.0 through before 4.5.0 and was introduced with IGMPv2 support. The fix involves caching the interface pointer before sending. The similar IPv6 MLD send path remains vulnerable.

The vulnerability can cause undefined behavior such as sporadic crashes or corruption of network interface statistics counters, resulting in potential denial of service. There is no confidentiality or integrity impact reported. Exploitation to achieve a controllable write is complex and requires specific asynchronous transmission conditions and concurrent memory reuse. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix described caches the interface pointer before sending to prevent use-after-free. Until an official patch is available, avoid configurations that enable asynchronous TX paths or CONFIG_NET_STATISTICS_PER_INTERFACE if feasible. Monitor vendor communications for updates and apply official fixes once released.