CVE-2026-10638
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Zephyr RTOS Networking Stack

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Zephyr Project

Description
subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data - net_if_tx) unreferences and may free the packet back to its memory slab before returning β€” synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-10638
EUVD
EUVD-2026-37115
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 4.2.0 (inc) to 4.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free bug in the Zephyr RTOS networking stack's ICMPv6 implementation. It happens because the code reads the network interface from a network packet after the packet has already been sent and potentially freed by the driver. Specifically, functions like icmpv6_handle_echo_request() and net_icmpv6_send_error() update statistics by accessing the packet's interface pointer after the packet may have been freed, leading to dereferencing invalid memory. This can cause crashes or memory corruption.

An unauthenticated remote attacker can trigger this flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that causes an ICMPv6 error, resulting in denial of service or potential memory corruption.

Impact Analysis

This vulnerability can lead to denial of service (DoS) by causing the affected system to crash when processing certain ICMPv6 packets. Additionally, it may cause memory corruption, which could potentially be exploited to affect system stability or security.

Detection Guidance

This vulnerability is triggered by unauthenticated remote attackers sending ICMPv6 Echo Requests (ping) or IPv6 packets that cause ICMPv6 errors (such as unknown next header, fragment reassembly timeout, or destination unreachable). Detection can focus on monitoring for unusual or repeated ICMPv6 Echo Requests or error messages that might exploit this flaw.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation involves applying the fix that caches the network interface pointer before sending packets, preventing use-after-free access. This fix is implemented in the Zephyr RTOS networking stack by modifying the ICMPv6 handling functions to avoid accessing freed memory.

Therefore, updating your Zephyr RTOS to a version that includes the patch from commit 09c8578c66b517c5165cde53332ed5d8d8ef2cfc or later is the recommended immediate step.

Compliance Impact

The vulnerability allows an unauthenticated remote attacker to cause denial of service via crash and potential memory corruption by sending crafted ICMPv6 packets. This could impact system availability, which is a component of compliance with standards like GDPR and HIPAA that require ensuring system availability and integrity.

However, the provided information does not explicitly discuss any direct effects on data confidentiality, integrity, or privacy controls mandated by these regulations.

Therefore, while the vulnerability could affect availability aspects of compliance, there is no direct indication from the provided data that it impacts compliance with GDPR, HIPAA, or similar standards beyond potential denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart