CVE-2026-10667: use-after-free in zephyrproject zephyr
Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was performed under lists_lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree_lock in k_object_free() and obj_lock in unref_check(). On an SMP system, while one CPU iterated obj_list under lists_lock, another CPU could unlink and k_free() the dyn_obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k_object_alloc/k_object_alloc_size and k_object_release drive removals through unref_check() (under obj_lock), while k_thread_abort and thread creation drive the iteration through k_thread_perms_all_clear()/k_thread_perms_inherit() (under lists_lock). A deprivileged user thread on a CONFIG_SMP + CONFIG_USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree_lock and serializes every obj_list modification under lists_lock, including holding it across find+remove in k_object_free() and around unref_check() in k_thread_perms_clear(). Affects CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.
AI Analysis
Technical Summary
Zephyr's kernel dynamic object tracking maintains a doubly-linked list of kernel objects. Iteration over this list uses a SAFE iterator under the lists_lock spinlock, but removal and freeing of nodes occur under separate, disjoint spinlocks (objfree_lock and obj_lock). On SMP systems, this allows a race where one CPU iterating the list may dereference a node that another CPU has freed, causing use-after-free. The vulnerability is reachable from unprivileged user-mode threads through system calls that allocate, release, or abort kernel objects and threads. The defect has existed since the 2019 spinlockification starting in v1.14.0 and affects all versions up to but not including 4.5.0. The fix involves removing objfree_lock and serializing all obj_list modifications under lists_lock to prevent concurrent unsafe access.
Potential Impact
A deprivileged user thread on a system configured with SMP, userspace, and dynamic objects can exploit this race condition to corrupt kernel memory. This can lead to privilege escalation by compromising kernel integrity or cause a denial of service through kernel crashes. The vulnerability affects the security boundary between userspace and kernel, making it a critical concern for systems relying on Zephyr with these configurations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix removes the objfree_lock and ensures all modifications to the kernel object list are serialized under lists_lock. Until an official fix is available, avoid running untrusted user-mode threads on affected configurations or disable CONFIG_SMP, CONFIG_USERSPACE, or CONFIG_DYNAMIC_OBJECTS if feasible to mitigate risk.
CVE-2026-10667: use-after-free in zephyrproject zephyr
Description
Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was performed under lists_lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree_lock in k_object_free() and obj_lock in unref_check(). On an SMP system, while one CPU iterated obj_list under lists_lock, another CPU could unlink and k_free() the dyn_obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k_object_alloc/k_object_alloc_size and k_object_release drive removals through unref_check() (under obj_lock), while k_thread_abort and thread creation drive the iteration through k_thread_perms_all_clear()/k_thread_perms_inherit() (under lists_lock). A deprivileged user thread on a CONFIG_SMP + CONFIG_USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree_lock and serializes every obj_list modification under lists_lock, including holding it across find+remove in k_object_free() and around unref_check() in k_thread_perms_clear(). Affects CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.
CVSS v3.1
Score 7.8high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Zephyr's kernel dynamic object tracking maintains a doubly-linked list of kernel objects. Iteration over this list uses a SAFE iterator under the lists_lock spinlock, but removal and freeing of nodes occur under separate, disjoint spinlocks (objfree_lock and obj_lock). On SMP systems, this allows a race where one CPU iterating the list may dereference a node that another CPU has freed, causing use-after-free. The vulnerability is reachable from unprivileged user-mode threads through system calls that allocate, release, or abort kernel objects and threads. The defect has existed since the 2019 spinlockification starting in v1.14.0 and affects all versions up to but not including 4.5.0. The fix involves removing objfree_lock and serializing all obj_list modifications under lists_lock to prevent concurrent unsafe access.
Potential Impact
A deprivileged user thread on a system configured with SMP, userspace, and dynamic objects can exploit this race condition to corrupt kernel memory. This can lead to privilege escalation by compromising kernel integrity or cause a denial of service through kernel crashes. The vulnerability affects the security boundary between userspace and kernel, making it a critical concern for systems relying on Zephyr with these configurations.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The described fix removes the objfree_lock and ensures all modifications to the kernel object list are serialized under lists_lock. Until an official fix is available, avoid running untrusted user-mode threads on affected configurations or disable CONFIG_SMP, CONFIG_USERSPACE, or CONFIG_DYNAMIC_OBJECTS if feasible to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:25:29.239Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a54991068715ace436e94e5
Added to database: 07/13/2026, 07:51:44 UTC
Last enriched: 07/13/2026, 07:53:23 UTC
Last updated: 07/13/2026, 19:47:35 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.