CVE-2026-10667
Received Received - Intake

Use-After-Free in Zephyr RTOS Kernel Object Tracking

Vulnerability report for CVE-2026-10667, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-12

Last updated on: 2026-07-12

Assigner: Zephyr Project

Description

Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was performed under lists_lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree_lock in k_object_free() and obj_lock in unref_check(). On an SMP system, while one CPU iterated obj_list under lists_lock, another CPU could unlink and k_free() the dyn_obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k_object_alloc/k_object_alloc_size and k_object_release drive removals through unref_check() (under obj_lock), while k_thread_abort and thread creation drive the iteration through k_thread_perms_all_clear()/k_thread_perms_inherit() (under lists_lock). A deprivileged user thread on a CONFIG_SMP + CONFIG_USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree_lock and serializes every obj_list modification under lists_lock, including holding it across find+remove in k_object_free() and around unref_check() in k_thread_perms_clear(). Affects CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-12
Last Modified
2026-07-12
Generated
2026-07-12
AI Q&A
2026-07-12
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr From 1.14.0 (inc) to 4.4.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free bug in the Zephyr RTOS kernel's dynamic kernel-object tracking system. The kernel maintains a doubly-linked list of dynamically allocated kernel objects, which is traversed under one spinlock (lists_lock). However, removal and freeing of these objects are done under different spinlocks (objfree_lock and obj_lock). On systems with Symmetric Multiprocessing (SMP), this inconsistent locking allows one CPU to free a kernel object node while another CPU is still iterating over it, causing the iterator to dereference freed memory.

This race condition can be triggered by unprivileged user-mode threads through system calls that allocate, release, or abort kernel objects and threads. As a result, a deprivileged user thread can corrupt kernel object-tracking structures, leading to kernel memory corruption, potential privilege escalation, or a kernel crash (denial of service).

The fix involves removing the separate objfree_lock and serializing all modifications to the object list under lists_lock to prevent concurrent unsafe access.

Impact Analysis

This vulnerability can allow a low-privileged user-mode thread to corrupt kernel memory by exploiting a race condition in the kernel's dynamic object tracking. The impacts include:

  • Kernel memory corruption due to use-after-free conditions.
  • Potential privilege escalation by bypassing kernel security boundaries.
  • Kernel crashes leading to denial of service.
Detection Guidance

This vulnerability is a use-after-free condition in the Zephyr RTOS kernel related to dynamic kernel object tracking under SMP configurations. Detection involves identifying race conditions in kernel object list traversal and removal, which is a low-level kernel concurrency issue.

Since this is a kernel-level race condition triggered by specific system calls (k_object_alloc, k_object_free, k_thread_abort, etc.) under CONFIG_SMP and CONFIG_DYNAMIC_OBJECTS, detection typically requires kernel debugging or tracing tools rather than simple network or system commands.

Suggested approaches include:

  • Use kernel debugging tools such as KGDB or kernel tracing (ftrace, SystemTap) to monitor calls to k_object_alloc, k_object_free, and k_thread_abort for concurrent access patterns.
  • Enable kernel debugging logs if available in Zephyr to capture race conditions or use-after-free warnings.
  • Run stress tests or fuzzing on user-mode threads invoking the affected system calls to try to reproduce the race condition.

No specific command-line commands are provided in the available resources for direct detection of this vulnerability.

Mitigation Strategies

The primary mitigation is to apply the official patches that fix the locking inconsistencies in the Zephyr kernel's dynamic object tracking subsystem.

Specifically:

  • Update Zephyr RTOS to a version that includes the fix which serializes all obj_list modifications under the lists_lock spinlock, removing the use of objfree_lock and obj_lock for these operations.
  • Ensure your build configuration includes the patched versions of k_object_free(), k_thread_perms_clear(), and related functions as described in the fix.
  • If immediate patching is not possible, consider disabling CONFIG_DYNAMIC_OBJECTS or CONFIG_SMP features if feasible, to reduce exposure.
  • Limit unprivileged user-mode thread access or restrict usage of system calls related to dynamic kernel object allocation and release.

These steps prevent race conditions that lead to use-after-free and kernel memory corruption, mitigating potential privilege escalation or denial of service.

Compliance Impact

This vulnerability allows low-privileged userspace threads to corrupt kernel memory and potentially escalate privileges or cause denial of service. Such unauthorized privilege escalation and system instability can lead to breaches of confidentiality, integrity, and availability of data and systems.

As a result, affected systems may fail to meet compliance requirements of common standards and regulations like GDPR and HIPAA, which mandate strict controls over data confidentiality, integrity, and system availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart