Zephyr's IPv6 Neighbor Discovery send functions (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs) update per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) has successfully returned. Since the network stack releases the packet reference upon successful send, the packet's memory can be freed before the statistics update occurs. This leads to a use-after-free condition when net_pkt_iface(pkt) accesses the freed memory, causing potential memory corruption, crashes, or corrupted statistics. The vulnerable code path is reachable by any unauthenticated on-link node sending ICMPv6 Neighbor Solicitations. The vulnerability affects Zephyr versions from 3.3.0 through 4.4.0. The fix involves using the already-available interface argument instead of accessing the freed packet.

This vulnerability can lead to corrupted network statistics, denial of service via application crashes, or limited memory corruption on affected Zephyr devices. It does not impact confidentiality but can affect integrity and availability. The vulnerability is exploitable by unauthenticated on-link attackers sending ICMPv6 Neighbor Solicitations, potentially causing service disruption or instability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix replaces the use-after-free prone packet reference with a safe interface argument. Until an official patch is available, disabling per-interface statistics (CONFIG_NET_STATISTICS_PER_INTERFACE) can mitigate the memory safety aspect, as only a global counter is updated in that configuration. Monitor vendor advisories for an official fix and apply it once released.