Description
Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection's reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory — a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the 'net conn' network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.
Published: 2026-06-15
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free occurs in Zephyr's native TCP stack when the lock protecting the global connection list is released during a callback. The cached pointer to the next connection can be freed by a concurrent tcp_conn_release() running on the TCP work‑queue thread, leading to a crash or an unsafe operation on a reused memory region. This flaw can be triggered by normal TCP traffic and results in denial of service or, if the memory is reused, potential information disclosure.

Affected Systems

The vulnerability is present in Zephyr RTOS versions up to and including 4.4.0, including all releases that use the modern TCP2 stack introduced in 2020. Devices built with zephyrproject:zephyr and exposing the 'net conn' network shell command or that perform net_tcp_close_all_for_iface() on interface‑down are affected.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, while an EPSS score of less than 1% suggests a low probability of current exploitation. The flaw is not listed in CISA KEV. Attack is likely local or through accepted TCP traffic, requiring a timing window where a connection is being freed concurrently with the iteration. Because the trigger is ordinary TCP activity, an adversary could potentially provide crafted packets to increase the chance of the race, but successful exploitation would mainly cause a system crash or optional information leakage.

Generated by OpenCVE AI on June 18, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Zephyr kernel 4.4.1 or later, which fixes the CWE‑416 Use‑After‑Free flaw by keeping tcp_lock held across net_tcp_foreach().
  • Disable or restrict the 'net conn' network shell command on production devices running the affected kernel to prevent triggering the lock‑release during iteration, mitigating the CWE‑416 use‑after‑free risk.
  • Isolate the device from untrusted networks that could cause concurrent TCP cleanup, for example by blocking or rate‑limiting external TCP traffic, thereby reducing the chance of the race condition identified as CWE‑416.
  • In development environments, use memory sanitizers or static analysis tools to detect and eliminate use‑after‑free patterns, directly addressing the CWE‑416 weakness.

Generated by OpenCVE AI on June 18, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
Vendors & Products Zephyrproject
Zephyrproject zephyr

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection's reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory — a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the 'net conn' network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.
Title Use-after-free in Zephyr native TCP net_tcp_foreach() due to dropping tcp_lock during the callback
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Zephyrproject Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-15T16:06:49.600Z

Reserved: 2026-06-02T15:10:50.607Z

Link: CVE-2026-10634

cve-icon Vulnrichment

Updated: 2026-06-15T16:06:45.460Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-15T16:16:32.223

Modified: 2026-06-15T20:52:58.193

Link: CVE-2026-10634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:30:15Z

Weaknesses