CVE-2026-10639: use-after-free in zephyrproject zephyr
CVE-2026-10639 is a use-after-free vulnerability in the Zephyr project's native IPv4 stack affecting versions from 1.14.0 through 4.4.0. The flaw occurs in the handling of ICMPv4 echo requests, where a packet is freed before its interface pointer is accessed for statistics updates, leading to a use-after-free read and potential write through a stale pointer. This can cause corrupted interface statistics or a remotely triggerable denial of service (DoS). The vulnerability is exploitable by any remote host sending ICMP echo requests (pings) and requires the CONFIG_NET_STATISTICS_ICMP configuration. The defect was introduced in 2019 and fixed by caching the interface pointer before sending the packet. The CVSS score is 4.8 (medium severity).
AI Analysis
Technical Summary
In Zephyr's native IPv4 stack, the function icmpv4_handle_echo_request() creates an echo-reply packet and passes it to net_try_send_data(), which transfers ownership of the packet to the transmission path and may free it asynchronously. However, after sending, the code calls net_stats_update_icmp_sent() using the interface pointer from the now potentially freed packet, causing a use-after-free read and possibly a write through a stale pointer when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. This vulnerability allows unauthenticated remote attackers to cause corrupted interface statistics or a denial of service by sending ICMP echo requests. The issue affects Zephyr versions from 1.14.0 through 4.4.0 and was introduced in 2019. The fix involves caching the interface pointer before sending the packet to avoid accessing freed memory.
Potential Impact
The vulnerability allows remote unauthenticated attackers to trigger a use-after-free condition by sending ICMP echo requests (pings). This can lead to corrupted network interface statistics or cause the device to crash, resulting in a denial of service. There is no direct confidentiality or integrity impact reported, but availability is affected due to potential crashes.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix described involves caching the interface pointer before sending the packet to avoid use-after-free. Until an official fix is applied, consider disabling CONFIG_NET_STATISTICS_ICMP if feasible to prevent triggering the vulnerable code path.
CVE-2026-10639: use-after-free in zephyrproject zephyr
Description
CVE-2026-10639 is a use-after-free vulnerability in the Zephyr project's native IPv4 stack affecting versions from 1.14.0 through 4.4.0. The flaw occurs in the handling of ICMPv4 echo requests, where a packet is freed before its interface pointer is accessed for statistics updates, leading to a use-after-free read and potential write through a stale pointer. This can cause corrupted interface statistics or a remotely triggerable denial of service (DoS). The vulnerability is exploitable by any remote host sending ICMP echo requests (pings) and requires the CONFIG_NET_STATISTICS_ICMP configuration. The defect was introduced in 2019 and fixed by caching the interface pointer before sending the packet. The CVSS score is 4.8 (medium severity).
CVSS v3.1
Score 4.8medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Zephyr's native IPv4 stack, the function icmpv4_handle_echo_request() creates an echo-reply packet and passes it to net_try_send_data(), which transfers ownership of the packet to the transmission path and may free it asynchronously. However, after sending, the code calls net_stats_update_icmp_sent() using the interface pointer from the now potentially freed packet, causing a use-after-free read and possibly a write through a stale pointer when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. This vulnerability allows unauthenticated remote attackers to cause corrupted interface statistics or a denial of service by sending ICMP echo requests. The issue affects Zephyr versions from 1.14.0 through 4.4.0 and was introduced in 2019. The fix involves caching the interface pointer before sending the packet to avoid accessing freed memory.
Potential Impact
The vulnerability allows remote unauthenticated attackers to trigger a use-after-free condition by sending ICMP echo requests (pings). This can lead to corrupted network interface statistics or cause the device to crash, resulting in a denial of service. There is no direct confidentiality or integrity impact reported, but availability is affected due to potential crashes.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix described involves caching the interface pointer before sending the packet to avoid use-after-free. Until an official fix is applied, consider disabling CONFIG_NET_STATISTICS_ICMP if feasible to prevent triggering the vulnerable code path.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:11:39.435Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3165080b89be6888c91b27
Added to database: 6/16/2026, 3:00:24 PM
Last enriched: 6/16/2026, 3:16:16 PM
Last updated: 6/17/2026, 4:57:32 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.