CVE-2026-5590
Race Condition in Zephyr TCP Stack Causes NULL Pointer Crash
Publication date: 2026-04-05
Last updated on: 2026-04-05
Assigner: Zephyr Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zephyrproject | zephyr | to 4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5590 is a moderate severity vulnerability in the Zephyr project's TCP/IP stack, specifically in the tcp_recv() function. It is caused by a race condition during TCP connection teardown.
When a TCP connection is released, the pointer to the connection context is set to NULL and the connection is removed while holding a lock. However, incoming packets for the same connection may still be processed concurrently.
If the connection is removed first, the function tcp_conn_search() returns NULL. Then, when processing a SYN packet, the code dereferences a NULL pointer without checking, leading to a crash due to a null pointer dereference.
How can this vulnerability impact me? :
This vulnerability can cause a crash in the TCP/IP stack of the affected system, leading to a denial of service (DoS) condition.
The impact includes low confidentiality and integrity loss but high availability impact, meaning the system's network communication can be disrupted or stopped.
An attacker with network access and low privileges can exploit this vulnerability without user interaction, but the attack complexity is high.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for crashes or abnormal behavior in the Zephyr TCP/IP stack, specifically related to tcp_recv() processing SYN packets.
Since the issue is a null pointer dereference caused by a race condition during TCP connection teardown, one approach is to check system logs for crashes or kernel panics related to tcp_recv() or tcp_backlog_is_full().
Network-level detection could involve capturing and analyzing TCP SYN packets to see if they trigger connection teardown race conditions, but no specific detection commands are provided.
No explicit commands or detection tools are mentioned in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include limiting network access to the affected Zephyr TCP/IP stack to reduce exposure to malicious SYN packets that could trigger the race condition.
Since no patched versions are officially released at the time of the advisory, applying the referenced patch (#102110) from the Zephyr project repository as soon as it is available is recommended.
Additionally, monitoring system stability and avoiding high concurrency TCP connection teardowns may reduce the likelihood of triggering the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-5590 causes a crash due to a null pointer dereference in the Zephyr TCP/IP stack, leading to a high impact on availability but only low impact on confidentiality and integrity.
Since the vulnerability primarily affects system availability and has low confidentiality and integrity impact, it may indirectly affect compliance with standards like GDPR and HIPAA that require system availability and data protection.
However, there is no explicit information provided about direct effects on compliance with these regulations or standards.