CVE-2026-10640
Awaiting Analysis Awaiting Analysis - Queue
IPv6 Neighbor Discovery Use-After-Free in Zephyr RTOS

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Zephyr Project

Description
Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet_send - net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise). The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption. The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input - net_ipv6_send_na). Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-10640
EUVD
EUVD-2026-37117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 3.3.0 (inc) to 4.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in the IPv6 Neighbor Discovery send paths of the Zephyr RTOS network stack. Specifically, after a packet is sent successfully, the code attempts to update per-interface ICMP-sent statistics by accessing the packet's interface data. However, the packet's memory may have already been freed or unreferenced by the network driver, leading to the code reading from freed memory.

This happens because the function net_pkt_iface(pkt) is called after net_send_data(pkt) returns, but the packet's reference count has already been released, so the memory can be freed or reused. Dereferencing this freed memory can cause corrupted statistics, crashes (denial of service), or limited memory corruption.

The vulnerability can be triggered by any unauthenticated on-link node sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled.

Impact Analysis

This vulnerability can lead to corrupted network interface statistics, system crashes causing denial of service, or potential limited memory corruption on affected devices running Zephyr RTOS versions 3.3.0 through 4.4.0.

An attacker on the same network (on-link) can exploit this by sending specially crafted ICMPv6 Neighbor Solicitations to trigger the use-after-free condition.

The impact includes integrity loss of network statistics and availability issues due to crashes, but it does not directly affect confidentiality.

Detection Guidance

This vulnerability is triggered by unauthenticated on-link nodes sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled. Detection involves monitoring for unusual or unexpected ICMPv6 Neighbor Solicitation traffic on your network targeting Zephyr devices running affected versions (3.3.0 through 4.4.0).

Since the issue involves use-after-free in the IPv6 Neighbor Discovery send paths, you can look for system crashes, faults, or corrupted ICMP statistics on affected devices as indirect signs.

Suggested commands to detect suspicious Neighbor Solicitation traffic include using packet capture tools such as:

  • tcpdump -i <interface> icmp6 and ip6[40] == 135
  • wireshark with a display filter: icmpv6.type == 135

Additionally, monitoring logs or statistics on the Zephyr device for crashes or corrupted ICMP counters may help identify exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade Zephyr RTOS to version 4.5.0 or later, where the vulnerability is fixed by using the interface argument directly instead of accessing the packet after transmission.

If upgrading immediately is not possible, consider disabling per-interface ICMP statistics (CONFIG_NET_STATISTICS_PER_INTERFACE) if feasible, as configurations without per-interface statistics are not affected by the memory-safety aspect.

Additionally, restrict or monitor ICMPv6 Neighbor Solicitation traffic from untrusted or unauthenticated on-link nodes to reduce exposure.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10640. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart