CVE-2026-10648: memory-safety in zephyrproject zephyr
CVE-2026-10648 is a memory-safety vulnerability in the Zephyr project affecting versions 4.4.0 up to but not including 4.5.0. The issue arises because a NULL pointer check is missing before a buffer reset operation, leading to a NULL pointer dereference and device crash. An attacker with access to the serial or console transport can flood the buffer pool, causing denial of service by crashing the device. This vulnerability has a CVSS score of 6.2, indicating medium severity.
AI Analysis
Technical Summary
In Zephyr versions 4.4.0 through before 4.5.0, the function mcumgr_serial_process_frag() calls net_buf_reset() on a buffer allocated by smp_packet_alloc() without first checking if the allocation returned NULL. Since smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) on a limited shared MCUmgr packet pool (default size 4), exhaustion of this pool causes net_buf_alloc to return NULL. The subsequent net_buf_reset call writes through the NULL pointer, causing a fault and device crash. An attacker controlling input on MCUmgr serial/UART/shell-console transports can flood the buffer pool to trigger this denial of service. The defect was introduced after the original MCUmgr rework and fixed by moving the NULL check before net_buf_reset.
Potential Impact
Successful exploitation results in a denial of service condition by crashing the affected device due to a NULL pointer dereference. There is no impact on confidentiality or integrity reported. The attack requires local access to the serial or console transport and can be performed without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix involves adding a NULL check before calling net_buf_reset to prevent the NULL pointer dereference. Until an official fix is available, limiting access to the MCUmgr serial/UART/shell-console transports or implementing rate limiting to prevent buffer pool exhaustion may reduce risk.
CVE-2026-10648: memory-safety in zephyrproject zephyr
Description
CVE-2026-10648 is a memory-safety vulnerability in the Zephyr project affecting versions 4.4.0 up to but not including 4.5.0. The issue arises because a NULL pointer check is missing before a buffer reset operation, leading to a NULL pointer dereference and device crash. An attacker with access to the serial or console transport can flood the buffer pool, causing denial of service by crashing the device. This vulnerability has a CVSS score of 6.2, indicating medium severity.
CVSS v3.1
Score 6.2medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In Zephyr versions 4.4.0 through before 4.5.0, the function mcumgr_serial_process_frag() calls net_buf_reset() on a buffer allocated by smp_packet_alloc() without first checking if the allocation returned NULL. Since smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) on a limited shared MCUmgr packet pool (default size 4), exhaustion of this pool causes net_buf_alloc to return NULL. The subsequent net_buf_reset call writes through the NULL pointer, causing a fault and device crash. An attacker controlling input on MCUmgr serial/UART/shell-console transports can flood the buffer pool to trigger this denial of service. The defect was introduced after the original MCUmgr rework and fixed by moving the NULL check before net_buf_reset.
Potential Impact
Successful exploitation results in a denial of service condition by crashing the affected device due to a NULL pointer dereference. There is no impact on confidentiality or integrity reported. The attack requires local access to the serial or console transport and can be performed without privileges or user interaction.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The fix involves adding a NULL check before calling net_buf_reset to prevent the NULL pointer dereference. Until an official fix is available, limiting access to the MCUmgr serial/UART/shell-console transports or implementing rate limiting to prevent buffer pool exhaustion may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:11:51.742Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a42fdfe27e9c79719ad118f
Added to database: 06/29/2026, 23:21:34 UTC
Last enriched: 06/29/2026, 23:36:22 UTC
Last updated: 06/30/2026, 00:16:25 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.