In Zephyr's native IPv4 stack, icmpv4handleechorequest() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to nettrysenddata(), and then, on success, calls netstatsupdateicmpsent(netpktiface(reply)). nettrysenddata() transfers ownership of reply to the TX path (netiftryqueuetx - netiftx - L2/driver send, or the asynchronous netiftxthread), which can unref it to refcount 0 and return the struct netpkt to its slab (netpktunref - kmemslabfree) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').
The post-send netpktiface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) netpkt, a use-after-free read; with CONFIGNETSTATISTICSPER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.
The path is reached unauthenticated by any remote host that pings the device (neticmpv4input - neticmpcallipv4handlers - icmpv4handleechorequest) and is gated on CONFIGNETSTATISTICSICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).
The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in neticmpv4senderror() is not a use-after-free because it reads netpkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.14.0"
},
{
"fixed": "4.5.0"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10639.json",
"cna_assigner": "zephyr",
"cwe_ids": [
"CWE-416"
]
}