CVE-2026-10638

Source
https://cve.org/CVERecord?id=CVE-2026-10638
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10638.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-10638
Aliases
  • GHSA-m92g-94xv-wvw2
Published
2026-06-16T13:16:14.688Z
Modified
2026-07-08T08:08:17.625176897Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Use-after-free in Zephyr ICMPv6 RX path when updating statistics after sending an echo reply or error
Details

subsys/net/ip/icmpv6.c reads the network interface from a netpkt after that packet has been handed to nettrysenddata(). In icmpv6handleechorequest() and neticmpv6senderror(), the post-send statistics update calls netpktiface(reply)/netpktiface(pkt) on the just-sent packet. The send path (nettrysenddata - netiftx) unreferences and may free the packet back to its memory slab before returning — synchronously in the RX thread when no TX queue is configured (CONFIGNETTCTXCOUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. netpktiface() therefore dereferences a freed (and possibly reused) netpkt; with CONFIGNETSTATISTICSPERINTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in netcore.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIGNETNATIVEIPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "4.2.0"
                },
                {
                    "fixed": "4.5.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10638.json",
    "cna_assigner": "zephyr",
    "cwe_ids": [
        "CWE-416"
    ]
}
References

Affected packages

Git / github.com/zephyrproject-rtos/zephyr

Affected ranges

Type
GIT
Repo
https://github.com/zephyrproject-rtos/zephyr
Events
Database specific
{
    "source": "DESCRIPTION",
    "extracted_events": [
        {
            "introduced": "v4.2.0"
        },
        {
            "fixed": "v4.4.0"
        }
    ]
}

Affected versions

v4.*
v4.2.0
v4.3.0
v4.3.0-rc1
v4.3.0-rc2
v4.3.0-rc3
v4.4.0-rc1
v4.4.0-rc2
v4.4.0-rc3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10638.json"