CVE-2026-10635
Received Received - Intake
Memory Corruption in Zephyr RTOS via Stale Domain Pointer

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Zephyr Project

Description
On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa_domain_list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch_mem_map()/arch_mem_unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k_mem_domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2_page_table_map writes l1_table[...] and l2_table[...], and xtensa_mmu_compute_domain_regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k_mem_domain_deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys_slist_find_and_remove() in arch_mem_domain_deinit(). The Xtensa MPU path is unaffected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-10635
EUVD
EUVD-2026-37036
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr 4.4.0
zephyrproject zephyr 4.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10635 is a use-after-free vulnerability in the Zephyr RTOS affecting Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU enabled.

The issue occurs during the memory-domain de-initialization process where a global list of active memory domains retains a dangling pointer to a freed domain structure.

When a domain is destroyed via k_mem_domain_deinit(), the page tables are torn down and the domain's ptables pointer is set to NULL, but the domain's node remains linked in the global xtensa_domain_list.

Subsequent page-table operations traverse this stale node, leading to either a NULL pointer dereference causing a fatal MMU exception or a use-after-free if the domain storage has been reused.

This can result in page-table memory corruption, potentially undermining userspace isolation.

The vulnerability is only reachable from privileged kernel code, not directly from user threads or remote sources.

Impact Analysis

This vulnerability can cause a denial of service due to a fatal MMU exception triggered by a NULL pointer dereference.

It can also lead to use-after-free conditions resulting in page-table memory corruption.

Such memory corruption can undermine userspace isolation, potentially allowing privileged kernel memory operations to be corrupted or manipulated.

However, the vulnerability is only exploitable from privileged kernel code and not directly accessible from unprivileged user threads or remote attackers.

Detection Guidance

This vulnerability manifests as a use-after-free or NULL pointer dereference in the Zephyr RTOS kernel on Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU enabled. Detection would involve monitoring for fatal MMU exceptions or kernel crashes related to memory domain de-initialization.

Since the vulnerable code path is only reachable from privileged kernel code and not from user threads or remotely, detection would require kernel-level debugging or logging.

Specific commands are not provided in the available resources, but typical approaches might include enabling kernel debug logs around memory domain operations or using kernel debugging tools to trace calls to k_mem_domain_deinit() and subsequent page-table operations.

Mitigation Strategies

The immediate mitigation is to update the Zephyr RTOS to a version that includes the fix for this vulnerability. The fix was merged in commit 33d43d0 targeting release v4.5.0.

The fix removes the dangling node from the global xtensa_domain_list during memory domain de-initialization, preventing use-after-free and NULL pointer dereference issues.

If updating is not immediately possible, avoid using the memory-domain de-initialization feature on affected Xtensa targets or ensure that CONFIG_USERSPACE and CONFIG_XTENSA_MMU are not enabled simultaneously.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart