CVE-2026-10638: use-after-free in zephyrproject zephyr
A use-after-free vulnerability exists in the Zephyr project's networking stack for ICMPv6 handling. The flaw occurs when the network interface pointer is accessed from a packet after the packet has been freed during sending, leading to potential memory corruption and denial of service. This affects Zephyr versions 4.2.0 through before 4.5.0 with native IPv6 networking enabled. The issue can be triggered remotely by sending ICMPv6 Echo Requests or packets that generate ICMPv6 errors. The vulnerability has a medium severity with a CVSS score of 5.9.
AI Analysis
Technical Summary
In Zephyr versions 4.2.0 through before 4.5.0 with CONFIG_NET_NATIVE_IPV6 enabled, the ICMPv6 code reads the network interface pointer from a net_pkt after the packet has been passed to net_try_send_data(), which may free the packet synchronously or asynchronously. This results in a use-after-free condition when net_pkt_iface() dereferences a freed packet pointer. When per-interface statistics are enabled, this stale pointer is further dereferenced and written to, causing memory corruption. The vulnerability can be triggered remotely by unauthenticated attackers sending ICMPv6 Echo Requests or packets eliciting ICMPv6 errors, leading to denial of service via crash and potential memory corruption. The fix involves caching the interface pointer before sending and using it for statistics updates. A similar fix was applied for ICMPv4.
Potential Impact
An unauthenticated remote attacker can trigger this vulnerability by sending ICMPv6 Echo Requests or packets that cause ICMPv6 errors, resulting in a use-after-free condition. This leads to denial of service through application crashes and may cause memory corruption. There is no impact on confidentiality or integrity reported. The vulnerability affects availability of the affected Zephyr networking stack.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix caches the interface pointer before sending to avoid use-after-free. Until an official fix is confirmed and applied, users should consider disabling CONFIG_NET_STATISTICS_PER_INTERFACE or CONFIG_NET_NATIVE_IPV6 as potential temporary mitigations, if feasible. Monitor official Zephyr project advisories for patches addressing this issue.
CVE-2026-10638: use-after-free in zephyrproject zephyr
Description
A use-after-free vulnerability exists in the Zephyr project's networking stack for ICMPv6 handling. The flaw occurs when the network interface pointer is accessed from a packet after the packet has been freed during sending, leading to potential memory corruption and denial of service. This affects Zephyr versions 4.2.0 through before 4.5.0 with native IPv6 networking enabled. The issue can be triggered remotely by sending ICMPv6 Echo Requests or packets that generate ICMPv6 errors. The vulnerability has a medium severity with a CVSS score of 5.9.
CVSS v3.1
Score 5.9medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Zephyr versions 4.2.0 through before 4.5.0 with CONFIG_NET_NATIVE_IPV6 enabled, the ICMPv6 code reads the network interface pointer from a net_pkt after the packet has been passed to net_try_send_data(), which may free the packet synchronously or asynchronously. This results in a use-after-free condition when net_pkt_iface() dereferences a freed packet pointer. When per-interface statistics are enabled, this stale pointer is further dereferenced and written to, causing memory corruption. The vulnerability can be triggered remotely by unauthenticated attackers sending ICMPv6 Echo Requests or packets eliciting ICMPv6 errors, leading to denial of service via crash and potential memory corruption. The fix involves caching the interface pointer before sending and using it for statistics updates. A similar fix was applied for ICMPv4.
Potential Impact
An unauthenticated remote attacker can trigger this vulnerability by sending ICMPv6 Echo Requests or packets that cause ICMPv6 errors, resulting in a use-after-free condition. This leads to denial of service through application crashes and may cause memory corruption. There is no impact on confidentiality or integrity reported. The vulnerability affects availability of the affected Zephyr networking stack.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix caches the interface pointer before sending to avoid use-after-free. Until an official fix is confirmed and applied, users should consider disabling CONFIG_NET_STATISTICS_PER_INTERFACE or CONFIG_NET_NATIVE_IPV6 as potential temporary mitigations, if feasible. Monitor official Zephyr project advisories for patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:10:55.949Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3165080b89be6888c91b23
Added to database: 6/16/2026, 3:00:24 PM
Last enriched: 6/16/2026, 3:16:23 PM
Last updated: 6/17/2026, 4:57:01 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.