CVE-2026-5590
Received Received - Intake
Race Condition in Zephyr TCP Stack Causes NULL Pointer Crash

Publication date: 2026-04-05

Last updated on: 2026-04-05

Assigner: Zephyr Project

Description
A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-05
Generated
2026-06-16
AI Q&A
2026-04-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5590
EUVD
EUVD-2026-19028
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-5590 causes a crash due to a null pointer dereference in the Zephyr TCP/IP stack, leading to a high impact on availability but only low impact on confidentiality and integrity.

Since the vulnerability primarily affects system availability and has low confidentiality and integrity impact, it may indirectly affect compliance with standards like GDPR and HIPAA that require system availability and data protection.

However, there is no explicit information provided about direct effects on compliance with these regulations or standards.

Executive Summary

CVE-2026-5590 is a moderate severity vulnerability in the Zephyr project's TCP/IP stack, specifically in the tcp_recv() function. It is caused by a race condition during TCP connection teardown.

When a TCP connection is released, the pointer to the connection context is set to NULL and the connection is removed while holding a lock. However, incoming packets for the same connection may still be processed concurrently.

If the connection is removed first, the function tcp_conn_search() returns NULL. Then, when processing a SYN packet, the code dereferences a NULL pointer without checking, leading to a crash due to a null pointer dereference.

Impact Analysis

This vulnerability can cause a crash in the TCP/IP stack of the affected system, leading to a denial of service (DoS) condition.

The impact includes low confidentiality and integrity loss but high availability impact, meaning the system's network communication can be disrupted or stopped.

An attacker with network access and low privileges can exploit this vulnerability without user interaction, but the attack complexity is high.

Detection Guidance

Detection of this vulnerability involves monitoring for crashes or abnormal behavior in the Zephyr TCP/IP stack, specifically related to tcp_recv() processing SYN packets.

Since the issue is a null pointer dereference caused by a race condition during TCP connection teardown, one approach is to check system logs for crashes or kernel panics related to tcp_recv() or tcp_backlog_is_full().

Network-level detection could involve capturing and analyzing TCP SYN packets to see if they trigger connection teardown race conditions, but no specific detection commands are provided.

No explicit commands or detection tools are mentioned in the provided resources.

Mitigation Strategies

Immediate mitigation steps include limiting network access to the affected Zephyr TCP/IP stack to reduce exposure to malicious SYN packets that could trigger the race condition.

Since no patched versions are officially released at the time of the advisory, applying the referenced patch (#102110) from the Zephyr project repository as soon as it is available is recommended.

Additionally, monitoring system stability and avoiding high concurrency TCP connection teardowns may reduce the likelihood of triggering the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5590. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart