CVE-2026-10637
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Zephyr RTOS IPv6 MLD Stack

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Zephyr Project

Description
subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-10637
EUVD
EUVD-2026-37114
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr *
zephyrproject zephyr 4.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10637 is a use-after-free vulnerability in the Zephyr RTOS networking stack, specifically in the IPv6 Multicast Listener Discovery (MLD) send path.

The issue occurs when the function mld_send() reads the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) has already returned successfully. According to the network stack's ownership contract, a successful send transfers ownership of the net_pkt to the L2 driver, which then frees it. Accessing the packet after this point results in a use-after-free condition.

This vulnerability can be triggered remotely by a link-local MLD Query, which calls handle_mld_query() in response to a valid MLDv2 General Query. If the CONFIG_NET_STATISTICS_PER_INTERFACE option is enabled, the freed packet's interface pointer may be dereferenced, leading to either a NULL-pointer dereference (causing a crash) or memory corruption if the slot is reallocated.

The vulnerability results in a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption.

Impact Analysis

This vulnerability can cause a denial of service (DoS) on the affected device's networking stack by remotely triggering a crash through a NULL-pointer dereference or potentially causing memory corruption.

Since the vulnerability can be triggered remotely on the local link without authentication, an attacker on the same network segment could exploit it to disrupt network communications or cause instability in the device.

Detection Guidance

This vulnerability is triggered remotely by a link-local MLDv2 General Query packet on the local network. Detection involves monitoring for such MLD Query packets that could trigger the use-after-free condition in the Zephyr RTOS networking stack.

Since the issue causes a denial of service or potential crashes due to NULL-pointer dereference or memory corruption, signs of the vulnerability may include unexpected network stack crashes or instability on devices running affected Zephyr RTOS versions.

Specific commands to detect this vulnerability are not provided in the available resources. However, network packet capture tools like tcpdump or Wireshark can be used to monitor for MLDv2 General Query packets on the local link, which are the trigger for this vulnerability.

  • Use tcpdump to capture MLDv2 General Query packets: tcpdump -i <interface> icmp6 and ip6[40] == 130
  • Monitor system logs or kernel logs for crashes or errors related to the network stack or NULL-pointer dereferences.
Mitigation Strategies

The primary mitigation is to update the Zephyr RTOS to a fixed version where the vulnerability has been patched, such as Zephyr RTOS 4.5.0 or later.

The fix involves caching the network interface pointer locally before sending the packet and avoiding any access to the packet after the send call, preventing use-after-free conditions.

Until an update can be applied, consider disabling or filtering incoming MLDv2 General Query packets on the local link to prevent triggering the vulnerability remotely.

  • Apply the official patch or upgrade to Zephyr RTOS 4.5.0 or later.
  • Implement network-level filtering to block or restrict MLDv2 General Query packets.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10637. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart