A race condition during TCP connection teardown can cause tcprecv() to operate on a connection that has already been released. If tcpconnsearch() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcpbacklogisfull() and dereferenced without validation, leading to a crash.
{
"cna_assigner": "zephyr",
"cwe_ids": [
"CWE-476"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5590.json"
}