CVE-2026-10653
Received Received - Intake

Race Condition in Zephyr RTOS net_buf Library Leads to Heap Corruption

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Zephyr Project

Description
The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, if (--buf->ref > 0), if (--(*ref_count))). The API is documented as self-synchronizing: callers may share one buffer across threads (e.g. via k_fifo) and each holder independently calls net_buf_unref() with no surrounding lock. Under true concurrency (SMP, or single-core preemption between the non-atomic load and store while another context unrefs the same buffer), two holders can both observe the same prior reference value and both conclude they are the last reference. For heap/variable-data pools (mem_pool_data_unref/heap_data_unref, used by zbus message subscribers, the IP stack RX/TX buffers when CONFIG_NET_BUF_FIXED_DATA_SIZE=n, capture, wireguard, ISO-TP and usbip) this produces a double k_heap_free()/k_free() of the same block -- heap-metadata corruption and a use-after-free on the heap-hardening poison pattern. For the per-header refcount the buffer is returned to the pool free LIFO twice for any pool type (including fixed-data pools used by Bluetooth and networking), corrupting the free list so a later allocation hands the same buffer to two owners. The fix converts both refcounts to atomic_inc/atomic_dec (overlaying buf->ref in an atomic_t-sized union and changing the data-block refcount from uint8_t to atomic_t). Impact is gated on genuine concurrency and on an application architecture that shares one buffer among multiple independent unref'ers; the trigger is a refcount/timing race rather than packet content, so an external attacker has at most weak indirect influence over the race window. Affects all Zephyr releases through v4.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-10653
EUVD
EUVD-2026-40367

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10653 affects the Zephyr RTOS net_buf library, where the reference counts for buffers are manipulated using non-atomic operations. Specifically, both the per-header buffer reference count and the per-data-block reference count are incremented and decremented without atomicity, which is unsafe in concurrent environments.

Because multiple threads can share a buffer and independently call the unreference function without locks, a race condition can occur. Two threads may both see the same reference count and both conclude they are the last to release the buffer, leading to a double free or corruption of the free list.

This results in heap metadata corruption, use-after-free vulnerabilities, and potential buffer reuse issues. The vulnerability is triggered under genuine concurrency and when buffers are shared among multiple independent holders.

The fix involves converting the reference count operations to atomic increments and decrements, ensuring thread-safe manipulation of these counts.

Impact Analysis

This vulnerability can lead to heap corruption and use-after-free conditions in applications using the Zephyr RTOS net_buf library. Such memory corruption can cause application crashes, unpredictable behavior, or security issues such as execution of arbitrary code.

Because the free list can become corrupted, the same buffer may be allocated to multiple owners, potentially leading to data corruption or leakage.

The impact includes reduced availability due to crashes, integrity loss from corrupted data structures, and confidentiality risks if memory is reused improperly.

However, exploitation requires a concurrent environment and an application architecture that shares buffers among multiple independent unref'ers, making direct external attacker influence limited and timing-dependent.

Detection Guidance

This vulnerability arises from a race condition in the Zephyr net_buf library's reference counting mechanism under concurrent unref operations. Detection involves monitoring for symptoms of heap corruption, double frees, or use-after-free errors in applications using Zephyr RTOS, especially those using buffers shared across threads.

Since the issue is timing and concurrency dependent, direct detection via network commands is not straightforward. Instead, detection can be approached by enabling debugging or logging in the Zephyr environment to catch heap corruption or memory errors related to net_buf usage.

Suggested commands or methods include:

  • Enable Zephyr's memory protection and heap debugging features to log double free or use-after-free events.
  • Use Zephyr's logging subsystem to monitor calls to net_buf_unref() and detect unexpected buffer reuse or corruption.
  • Run the system under stress or concurrency tests to try to reproduce the race condition and observe crashes or heap corruption.
  • Use tools like AddressSanitizer or other memory error detectors if supported in your build environment.
Mitigation Strategies

The primary mitigation is to update Zephyr RTOS to version 4.5.0 or later, where the vulnerability has been fixed by converting the reference counts in the net_buf library to atomic operations.

If immediate upgrade is not possible, consider the following steps:

  • Avoid sharing net_buf buffers across multiple threads without external synchronization to prevent concurrent unref calls.
  • Apply any available patches or backports of the fix that convert reference counting to atomic operations.
  • Enable runtime checks and debugging features in Zephyr to detect and prevent heap corruption early.
  • Review application architecture to minimize or eliminate concurrent unref operations on the same buffer.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart