Description
On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa_domain_list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch_mem_map()/arch_mem_unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k_mem_domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2_page_table_map writes l1_table[...] and l2_table[...], and xtensa_mmu_compute_domain_regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k_mem_domain_deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys_slist_find_and_remove() in arch_mem_domain_deinit(). The Xtensa MPU path is unaffected.
Published: 2026-06-16
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

On Xtensa targets that enable userspace and the Xtensa MMU, the de‑initialization routine for memory domains fails to remove the domain’s list node from a global list. When a deinitialised domain is later freed or reused, kernel mapping and paging operations traverse this stale node, dereferencing a NULL pointer or a stale page‑table address. This produces a fatal MMU exception that crashes the system and, if the freed memory has been repurposed, results in page‑table corruption that can compromise userspace isolation by allowing unauthorized memory access within the kernel’s address space.

Affected Systems

The issue appears in Zephyr v4.4.0 on Xtensa CPUs when both CONFIG_USERSPACE and CONFIG_XTENSA_MMU are enabled. It was introduced in commit 3032b58f52d and shipped with v4.4.0. The mainline pull request that adds sys_slist_find_and_remove in arch_mem_domain_deinit() removes the dangling node and resolves the flaw. The Xtensa MPU path is unaffected.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity for this flaw. The EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA KEV, so no publicly known exploits exist. The code path is reachable only from privileged kernel or supervisor code; unprivileged user threads and remote attackers have no direct access to trigger the flaw.

Generated by OpenCVE AI on June 17, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zephyr to a version that includes the sys_slist_find_and_remove change (commit 33d43d09 or later) to eliminate the dangling list node.
  • If an upgrade cannot be performed immediately, disable CONFIG_XTENSA_MMU or CONFIG_USERSPACE in the build configuration to avoid the vulnerable memory‑domain de‑initialization path.
  • Verify that any custom code that calls k_mem_domain_deinit() only performs the operation after the domain is fully unreferenced, preventing premature de‑initialization of in‑use storage.

Generated by OpenCVE AI on June 17, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:zephyrproject:zephyr:4.4.0:*:*:*:*:*:*:*

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
Vendors & Products Zephyrproject
Zephyrproject zephyr

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa_domain_list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch_mem_map()/arch_mem_unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k_mem_domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2_page_table_map writes l1_table[...] and l2_table[...], and xtensa_mmu_compute_domain_regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k_mem_domain_deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys_slist_find_and_remove() in arch_mem_domain_deinit(). The Xtensa MPU path is unaffected.
Title Dangling memory-domain pointer (use-after-free) in Xtensa MMU page-table code on memory-domain de-init
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H'}


Subscriptions

Zephyrproject Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-16T13:47:16.733Z

Reserved: 2026-06-02T15:10:51.941Z

Link: CVE-2026-10635

cve-icon Vulnrichment

Updated: 2026-06-16T13:47:10.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-16T06:16:57.770

Modified: 2026-06-16T20:52:48.143

Link: CVE-2026-10635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T23:00:14Z

Weaknesses