CVE-2026-13351: Missing Release of Resource after Effective Lifetime in zephyrproject-rtos Zephyr
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
AI Analysis
Technical Summary
CVE-2026-13351 describes a denial of service vulnerability in the Zephyr RTOS IPv6 network stack. When processing maliciously fragmented IPv6 packets, the fragment-header handling path fails to release the associated RX network packet buffer back to the memory slab pool. Repeated exploitation exhausts all RX buffer slots, preventing the device from obtaining new RX buffers and effectively halting incoming network traffic. This vulnerability affects Zephyr versions up to 4.3 inclusive. No official patch or remediation level has been published as of the data provided.
Potential Impact
The vulnerability results in a denial of service condition by exhausting RX network packet buffers, causing the affected device to stop receiving IPv6 traffic. There is no impact on confidentiality or integrity reported, but availability is severely affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider network-level filtering to block suspicious fragmented IPv6 packets if feasible.
CVE-2026-13351: Missing Release of Resource after Effective Lifetime in zephyrproject-rtos Zephyr
Description
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-13351 describes a denial of service vulnerability in the Zephyr RTOS IPv6 network stack. When processing maliciously fragmented IPv6 packets, the fragment-header handling path fails to release the associated RX network packet buffer back to the memory slab pool. Repeated exploitation exhausts all RX buffer slots, preventing the device from obtaining new RX buffers and effectively halting incoming network traffic. This vulnerability affects Zephyr versions up to 4.3 inclusive. No official patch or remediation level has been published as of the data provided.
Potential Impact
The vulnerability results in a denial of service condition by exhausting RX network packet buffers, causing the affected device to stop receiving IPv6 traffic. There is no impact on confidentiality or integrity reported, but availability is severely affected.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, consider network-level filtering to block suspicious fragmented IPv6 packets if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-25T16:13:43.055Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3d5b504853345fc1337276
Added to database: 06/25/2026, 16:46:08 UTC
Last enriched: 06/25/2026, 17:01:39 UTC
Last updated: 06/25/2026, 20:14:29 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.