CVE-2026-13351
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in Zephyr RTOS IPv6 Stack

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Zephyr Project

Description
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-13351
EUVD
EUVD-2026-39478
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr *
zephyrproject zephyr to 4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Zephyr's IPv6 network stack where an attacker can send a small number of specially crafted fragmented IPv6 packets. When these packets are processed, the network stack fails to release the memory buffers allocated for receiving packets. As a result, the buffers become exhausted, preventing the device from receiving or processing any further incoming network packets.

Impact Analysis

The impact of this vulnerability is a denial of service (DoS) condition. By exhausting the receive buffers through malicious fragmented IPv6 packets, the affected device will stop receiving network traffic, which can disrupt normal network communications and services relying on the device.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for repeated occurrences of "Failed to obtain RX buffer" errors on the affected Zephyr system, which indicate exhaustion of RX buffer slots.

On the network, detection involves identifying maliciously fragmented IPv6 packets being sent repeatedly to the device.

  • Check system logs for "Failed to obtain RX buffer" error messages.
  • Use packet capture tools like tcpdump or Wireshark to filter and analyze IPv6 fragmented packets with commands such as: tcpdump -i <interface> 'ip6[6] == 44' to capture IPv6 fragmentation headers.
  • Look for an unusual volume of fragmented IPv6 packets which may indicate an ongoing attack exploiting this vulnerability.
Mitigation Strategies

The immediate mitigation step is to update the Zephyr RTOS to a version later than 4.3 where this vulnerability has been patched.

Until an update can be applied, consider implementing network-level filtering to block or rate-limit fragmented IPv6 packets to prevent exhaustion of RX buffers.

Monitor system logs for signs of the attack and isolate affected devices if possible to reduce impact.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13351. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart