CVE-2026-10634
Received Received - Intake
Use-After-Free in Zephyr RTOS TCP Stack

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: Zephyr Project

Description
Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection's reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory β€” a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the 'net conn' network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-10634
EUVD
EUVD-2026-36727
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr 4.4.0
zephyrproject zephyr From 2.5.0 (inc) to 4.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the Zephyr RTOS native TCP stack, specifically in the net_tcp_foreach() function. The function iterates over TCP connections using a cached pointer to the next connection. However, it temporarily releases a lock (tcp_lock) while invoking a callback for each connection. During this time, another process (tcp_conn_release()) can free the next connection in the list if its reference count drops to zero, such as when a remote peer closes or resets the connection. When the iterator advances, it may dereference this freed memory, leading to a use-after-free condition.

This can cause the system to crash (denial of service) or, if the freed memory has been reallocated, allow an attacker to influence the callback's behavior, potentially leading to information disclosure or further faults.

The issue was introduced with the modern TCP2 stack in 2020 and affects Zephyr versions from 2.5.0 up to and including 4.4.0. The fix involves holding the tcp_lock across the callback execution and moving the connection teardown inside the critical section to prevent the race condition.

Impact Analysis

This vulnerability can impact you by causing system crashes due to a use-after-free condition in the TCP stack, resulting in denial of service.

Additionally, if the freed memory is reallocated and controlled by an attacker, the vulnerability could allow the attacker to influence the behavior of callbacks operating on TCP connections, potentially leading to information disclosure or further faults.

The vulnerability can be triggered during normal TCP traffic, for example via the 'net conn' network shell command or when an interface goes down and net_tcp_close_all_for_iface() is called.

Detection Guidance

This vulnerability can be triggered in production via the 'net conn' network shell command or the net_tcp_close_all_for_iface() function during interface-down events.

Using the 'net conn' command in the Zephyr network shell can help observe the TCP connections and potentially detect abnormal behavior related to this vulnerability.

Mitigation Strategies

The vulnerability is fixed in Zephyr version 4.5.0 by ensuring the tcp_lock is held across the callback in net_tcp_foreach() and moving the connection teardown inside the critical section.

Immediate mitigation steps include upgrading Zephyr to version 4.5.0 or later where the fix is applied.

Until an upgrade is possible, avoid triggering the 'net conn' command or interface-down events that invoke net_tcp_close_all_for_iface(), as these can expose the vulnerability.

Compliance Impact

This vulnerability does not impact confidentiality or integrity, but it can cause denial of service by crashing the system and potentially lead to information disclosure if memory is reallocated and influenced by an attacker.

Since the vulnerability primarily affects availability and has no direct impact on confidentiality or integrity, its effect on compliance with standards like GDPR or HIPAAβ€”which emphasize protection of personal data confidentiality and integrityβ€”is limited.

However, denial of service conditions could indirectly affect compliance if system availability is a regulatory requirement or if the vulnerability is exploited to disrupt services handling sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10634. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart