Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.1%top 99%

CVE-2026-10667: use-after-free in zephyrproject zephyr

0
High
VulnerabilityCVE-2026-10667cvecve-2026-10667
Published: 07/12/2026 (07/12/2026, 16:16:50 UTC)
Source: CVE Database V5
Vendor/Project: zephyrproject
Product: zephyr

Description

Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was performed under lists_lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree_lock in k_object_free() and obj_lock in unref_check(). On an SMP system, while one CPU iterated obj_list under lists_lock, another CPU could unlink and k_free() the dyn_obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k_object_alloc/k_object_alloc_size and k_object_release drive removals through unref_check() (under obj_lock), while k_thread_abort and thread creation drive the iteration through k_thread_perms_all_clear()/k_thread_perms_inherit() (under lists_lock). A deprivileged user thread on a CONFIG_SMP + CONFIG_USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree_lock and serializes every obj_list modification under lists_lock, including holding it across find+remove in k_object_free() and around unref_check() in k_thread_perms_clear(). Affects CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.

CVSS v3.1

Score 7.8high

Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected software

GitHub Actionsmore threats →cve
zephyr
pkg:github/zephyr
Affected versions
>=1.14.0 <4.5.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 07:53:23 UTC

Technical Analysis

Zephyr's kernel dynamic object tracking maintains a doubly-linked list of kernel objects. Iteration over this list uses a SAFE iterator under the lists_lock spinlock, but removal and freeing of nodes occur under separate, disjoint spinlocks (objfree_lock and obj_lock). On SMP systems, this allows a race where one CPU iterating the list may dereference a node that another CPU has freed, causing use-after-free. The vulnerability is reachable from unprivileged user-mode threads through system calls that allocate, release, or abort kernel objects and threads. The defect has existed since the 2019 spinlockification starting in v1.14.0 and affects all versions up to but not including 4.5.0. The fix involves removing objfree_lock and serializing all obj_list modifications under lists_lock to prevent concurrent unsafe access.

Potential Impact

A deprivileged user thread on a system configured with SMP, userspace, and dynamic objects can exploit this race condition to corrupt kernel memory. This can lead to privilege escalation by compromising kernel integrity or cause a denial of service through kernel crashes. The vulnerability affects the security boundary between userspace and kernel, making it a critical concern for systems relying on Zephyr with these configurations.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix removes the objfree_lock and ensures all modifications to the kernel object list are serialized under lists_lock. Until an official fix is available, avoid running untrusted user-mode threads on affected configurations or disable CONFIG_SMP, CONFIG_USERSPACE, or CONFIG_DYNAMIC_OBJECTS if feasible to mitigate risk.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
zephyr
Date Reserved
2026-06-02T15:25:29.239Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a54991068715ace436e94e5

Added to database: 07/13/2026, 07:51:44 UTC

Last enriched: 07/13/2026, 07:53:23 UTC

Last updated: 07/13/2026, 19:47:35 UTC

Views: 8

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses