Impact
In Zephyr's IPv4 IGMP implementation, the function that sends IGMP membership reports can read an interface pointer from a packet after that packet has already been freed by the lower layer or the network stack. This use‑after‑free occurs after the packet is handed to the driver for transmission. When network statistics per interface are enabled, the freed pointer is later dereferenced again to update a statistics counter, leading to corrupt counters or a crash. The flaw is non‑authentication‑bound, so an attacker can trigger it by sending IGMP membership queries or by performing local multicast join or leave operations. The consequence is undefined behavior that can manifest as sporadic crashes or statistics corruption, effectively a denial of service; a controlled memory write would require the asynchronous transmission path and normal operation.
Affected Systems
The vulnerability affects Zephyr RTOS, specifically versions from 2.6.0 up through 4.4.0. Owners of devices running these releases should check the Zephyr project for fixes or newer releases.
Risk and Exploitability
The CVSS score for this flaw is 3.7, and the EPSS score is reported as < 1%, indicating a low probability of exploitation. It is not listed in the CISA KEV catalog. While the attack vector is remote and does not require authentication—an attacker can send malformed IGMP packets on a network that reaches the device—the exploit demands a specific timing scenario to cause a controllable memory write. Consequently, the overall risk is moderate but the likelihood of an attacker successfully using it in the wild is low.
OpenCVE Enrichment