Description
In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input - send_igmp_report/send_igmp_v3_report - igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.
Published: 2026-06-16
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Zephyr's IPv4 IGMP implementation, the function that sends IGMP membership reports can read an interface pointer from a packet after that packet has already been freed by the lower layer or the network stack. This use‑after‑free occurs after the packet is handed to the driver for transmission. When network statistics per interface are enabled, the freed pointer is later dereferenced again to update a statistics counter, leading to corrupt counters or a crash. The flaw is non‑authentication‑bound, so an attacker can trigger it by sending IGMP membership queries or by performing local multicast join or leave operations. The consequence is undefined behavior that can manifest as sporadic crashes or statistics corruption, effectively a denial of service; a controlled memory write would require the asynchronous transmission path and normal operation.

Affected Systems

The vulnerability affects Zephyr RTOS, specifically versions from 2.6.0 up through 4.4.0. Owners of devices running these releases should check the Zephyr project for fixes or newer releases.

Risk and Exploitability

The CVSS score for this flaw is 3.7, and the EPSS score is reported as < 1%, indicating a low probability of exploitation. It is not listed in the CISA KEV catalog. While the attack vector is remote and does not require authentication—an attacker can send malformed IGMP packets on a network that reaches the device—the exploit demands a specific timing scenario to cause a controllable memory write. Consequently, the overall risk is moderate but the likelihood of an attacker successfully using it in the wild is low.

Generated by OpenCVE AI on June 17, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zephyr to a release that includes the patch for the IGMP send path, such as a version newer than 4.4.0 or cherry‑pick the commit that caches the interface pointer before transmission.
  • If an update is not immediately possible, disable CONFIG_NET_STATISTICS_PER_INTERFACE to prevent the statistics counter from being accessed after the packet is freed.
  • Monitor network traffic for IGMP membership queries and consider filtering or limiting multicast traffic to reduce the attack surface.

Generated by OpenCVE AI on June 17, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
Vendors & Products Zephyrproject
Zephyrproject zephyr

Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input - send_igmp_report/send_igmp_v3_report - igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.
Title Use-after-free in Zephyr IPv4 IGMP send path (igmp_send)
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Zephyrproject Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-16T15:30:59.821Z

Reserved: 2026-06-02T15:10:53.319Z

Link: CVE-2026-10636

cve-icon Vulnrichment

Updated: 2026-06-16T15:30:56.654Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T15:16:33.867

Modified: 2026-06-16T15:23:42.240

Link: CVE-2026-10636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses