The vulnerability in Zephyr's IPv6 MLD implementation arises from accessing the packet interface pointer after net_send_data() returns successfully, which transfers ownership and frees the packet. Subsequent access to this freed pointer leads to use-after-free conditions, causing either a NULL pointer dereference or memory corruption. This occurs when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled and the per-interface statistics path attempts to update statistics. The vulnerability is reachable remotely on the local link via MLDv2 General Query messages without authentication, enabling a denial of service attack on the network stack. The recommended fix caches the interface pointer locally before sending and avoids accessing the packet post-send, aligning with the pattern used in the IPv4 IGMP sibling code. The affected versions include 1.12.0 and all versions from 1.12.0 up to but not including 4.5.0. No official patch or remediation level has been published yet.

This vulnerability allows an unauthenticated attacker on the local network to remotely trigger a denial of service by causing the network stack to crash due to a use-after-free condition. There is also a narrow possibility of memory corruption, which could potentially lead to further instability or exploitation, but no confirmed exploits are known in the wild. The impact is limited to availability (denial of service) and integrity (memory corruption), with no confidentiality impact reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor's fix involves caching the interface pointer before sending and avoiding access to the packet after net_send_data() returns. Until an official patch is released, users should monitor vendor communications for updates. No generic mitigations are specifically recommended by the vendor advisory at this time.