Impact
A use‑after‑free occurs in Zephyr's native TCP stack when the lock protecting the global connection list is released during a callback. The cached pointer to the next connection can be freed by a concurrent tcp_conn_release() running on the TCP work‑queue thread, leading to a crash or an unsafe operation on a reused memory region. This flaw can be triggered by normal TCP traffic and results in denial of service or, if the memory is reused, potential information disclosure.
Affected Systems
The vulnerability is present in Zephyr RTOS versions up to and including 4.4.0, including all releases that use the modern TCP2 stack introduced in 2020. Devices built with zephyrproject:zephyr and exposing the 'net conn' network shell command or that perform net_tcp_close_all_for_iface() on interface‑down are affected.
Risk and Exploitability
The CVSS score of 4.8 indicates moderate severity, while an EPSS score of less than 1% suggests a low probability of current exploitation. The flaw is not listed in CISA KEV. Attack is likely local or through accepted TCP traffic, requiring a timing window where a connection is being freed concurrently with the iteration. Because the trigger is ordinary TCP activity, an adversary could potentially provide crafted packets to increase the chance of the race, but successful exploitation would mainly cause a system crash or optional information leakage.
OpenCVE Enrichment