CVE-2026-10639
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Zephyr RTOS IPv4 ICMP Echo Reply Handling

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Zephyr Project

Description
In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call'). The post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer. The path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS). The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-10639
EUVD
EUVD-2026-37116
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr From 1.14 (inc) to 4.4.0 (inc)
zephyrproject zephyr 1.14
zephyrproject zephyr to 4.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in Zephyr RTOS's native IPv4 stack, specifically in the function icmpv4_handle_echo_request(). When the system builds and sends an ICMPv4 echo-reply packet, the transmission path may free the packet's memory before the function finishes using it. After sending, the code attempts to access the network interface pointer from this freed packet, leading to a read from memory that may have been reallocated or corrupted.

If the configuration option CONFIG_NET_STATISTICS_PER_INTERFACE is enabled, the function also increments interface statistics using this stale pointer, which can cause corrupted statistics or a wild-pointer write. This flaw can be triggered remotely by any host sending an ICMPv4 echo request (ping) to the device and is dependent on the CONFIG_NET_STATISTICS_ICMP setting.

Impact Analysis

The vulnerability can lead to corrupted interface statistics or cause a wild-pointer write due to accessing freed memory. This can result in a remotely triggerable crash, causing a denial of service (DoS) condition on the affected device.

Since the vulnerability is triggered by receiving ICMPv4 echo requests (pings) from any remote host, it can be exploited without authentication, potentially disrupting network operations or device availability.

Detection Guidance

This vulnerability is triggered by any remote host sending an ICMPv4 echo request (ping) to the device when the configuration option CONFIG_NET_STATISTICS_ICMP is enabled.

Detection can involve monitoring for unusual ICMP echo request traffic or crashes related to ICMP handling on the affected Zephyr RTOS devices.

Since the vulnerability involves a use-after-free triggered by ICMP echo requests, you can test by sending ICMP echo requests (ping) to the device and observing for crashes or corrupted interface statistics.

  • Use the ping command from a remote host to send ICMP echo requests to the device: ping <device_ip>
  • Monitor device logs or console output for crashes or errors related to ICMP handling.
  • If possible, enable debugging or logging on the Zephyr device to capture network stack errors or memory corruption events.
Mitigation Strategies

The primary mitigation is to apply the official patch that fixes the use-after-free vulnerability by caching the interface pointer before sending the ICMP reply packet.

If patching immediately is not possible, consider disabling the CONFIG_NET_STATISTICS_ICMP option to prevent the vulnerable code path from executing.

Additionally, restricting or filtering ICMP echo requests (ping) from untrusted or remote hosts can reduce the risk of exploitation.

  • Update Zephyr RTOS to a version including the fix (post v4.4.0 or apply the commit https://github.com/zephyrproject-rtos/zephyr/commit/86e21665d4641f304dc3895bfb03b8f89db83291).
  • Disable CONFIG_NET_STATISTICS_ICMP if statistics collection on ICMP is not required.
  • Implement network-level filtering to block or limit ICMP echo requests from untrusted sources.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10639. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart