CVE-2026-10636
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Zephyr RTOS IPv4 IGMP Implementation

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Zephyr Project

Description
In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input - send_igmp_report/send_igmp_v3_report - igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-10636
EUVD
EUVD-2026-37113
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyr zephyr From 2.6.0 (inc) to 4.4.0 (inc)
zephyrproject zephyr From 2.6.0 (inc) to 4.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this use-after-free vulnerability in Zephyr's IPv4 IGMP implementation, you should update your Zephyr RTOS to a version that includes the fix which caches the network interface pointer before sending the packet.

The fix prevents accessing freed memory by storing the network interface reference prior to sending, avoiding the dereference of a potentially freed packet.

Additionally, be aware that the analogous IPv6 MLD path remains unfixed, so monitor for updates regarding that component.

Detection Guidance

This vulnerability is related to a use-after-free condition in the Zephyr RTOS IPv4 IGMP send path triggered by inbound IPv4 IGMP membership queries addressed to 224.0.0.1 or local multicast join/leave/rejoin operations.

Detection on a network or system would involve monitoring for unusual crashes, denial of service symptoms, or statistics corruption related to IGMP traffic, especially multicast packets to 224.0.0.1.

Since the issue arises from handling IGMP packets, you can capture and analyze IGMP traffic using network packet capture tools such as tcpdump or Wireshark.

  • Use tcpdump to capture IGMP packets: tcpdump -i <interface> igmp
  • Filter for IGMP membership queries to 224.0.0.1: tcpdump -i <interface> 'igmp and dst host 224.0.0.1'
  • Monitor system logs for crashes or errors related to the network stack or Zephyr RTOS IGMP handling.

Direct commands to detect the use-after-free condition itself are not provided in the available information, but monitoring IGMP traffic and system stability during such traffic is recommended.

Executive Summary

This vulnerability is a use-after-free bug in Zephyr RTOS's IPv4 IGMP implementation. Specifically, the function igmp_send() accesses a network packet's interface pointer after the packet may have already been freed by the network stack or driver. This happens because igmp_send() retrieves the interface pointer from the packet after calling net_send_data(), which can release the packet's memory. If the CONFIG_NET_STATISTICS_PER_INTERFACE option is enabled, the dangling pointer is further dereferenced to update statistics, causing undefined behavior.

The vulnerability can be triggered without authentication by sending inbound IPv4 IGMP membership queries to the multicast address 224.0.0.1 or through local multicast join/leave operations. It affects Zephyr versions from v2.6.0 through v4.4.0 and was introduced with IGMPv2 support.

Impact Analysis

The impact of this vulnerability includes undefined behavior such as sporadic crashes or corruption of network statistics. It can potentially cause denial of service conditions by crashing the system or corrupting data.

Exploitation requires high attack complexity and specific conditions, such as asynchronous transmit paths and concurrent memory reuse, making it less likely but still possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10636. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart