CVE-2026-13351
Analyzed Analyzed - Analysis Complete

Denial of Service in Zephyr RTOS IPv6 Stack

Vulnerability report for CVE-2026-13351, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-06

Assigner: Zephyr Project

Description

Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-06
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.4.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Zephyr's IPv6 network stack where an attacker can send a small number of specially crafted fragmented IPv6 packets. When these packets are processed, the network stack fails to release the memory buffers allocated for receiving packets. As a result, the buffers become exhausted, preventing the device from receiving or processing any further incoming network packets.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for repeated occurrences of "Failed to obtain RX buffer" errors on the affected Zephyr system, which indicate exhaustion of RX buffer slots.

On the network, detection involves identifying maliciously fragmented IPv6 packets being sent repeatedly to the device.

  • Check system logs for "Failed to obtain RX buffer" error messages.
  • Use packet capture tools like tcpdump or Wireshark to filter and analyze IPv6 fragmented packets with commands such as: tcpdump -i <interface> 'ip6[6] == 44' to capture IPv6 fragmentation headers.
  • Look for an unusual volume of fragmented IPv6 packets which may indicate an ongoing attack exploiting this vulnerability.
Mitigation Strategies

The immediate mitigation step is to update the Zephyr RTOS to a version later than 4.3 where this vulnerability has been patched.

Until an update can be applied, consider implementing network-level filtering to block or rate-limit fragmented IPv6 packets to prevent exhaustion of RX buffers.

Monitor system logs for signs of the attack and isolate affected devices if possible to reduce impact.

Impact Analysis

The impact of this vulnerability is a denial of service (DoS) condition. By exhausting the receive buffers through malicious fragmented IPv6 packets, the affected device will stop receiving network traffic, which can disrupt normal network communications and services relying on the device.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart