Description
subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.
Published: 2026-06-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free in the IPv6 MLD send path of the Zephyr RTOS network stack. After a successful net_send_data(pkt) call, the packet object is released, yet the code still accesses net_pkt_iface(pkt). This read of a freed object results in a crash of the networking stack, and if the memory slot is reallocated, it can corrupt statistics counters or other data. The outcome is a denial‑of‑service of the networking subsystem and a narrow possibility of memory corruption.

Affected Systems

Affected devices run the Zephyr RTOS network stack component subsys/net/ip/ipv6_mld.c without the patch introduced in commit 3159c53e8e7d233c2a85a0798cf25ac441db6dae. Any application or system that includes Zephyr’s IPv6 MLD handling prior to that commit is susceptible. The vulnerability exists across all affected Zephyr releases listed in the advisory, but precise version bounds are not specified in the input.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score is below 1%, implying a very low chance of exploitation in the wild. The vulnerability is available to remote attackers on the local link without authentication via a standard MLDv2 General Query message. It is not listed in the CISA KEV catalog. Attackers could send a crafted MLD query to trigger the use‑after‑free, causing the router or device to crash and lose network availability, but would not gain other privileges.

Generated by OpenCVE AI on June 17, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Zephyr patch from commit 3159c53e8e7d233c2a85a0798cf25ac441db6dae or upgrade to a Zephyr release that includes the fix.
  • If the patch cannot be applied immediately, disable CONFIG_NET_STATISTICS_PER_INTERFACE or suppress MLD handling for that interface until the fix is in place.
  • Block unsolicited MLD queries at the network boundary or configure the device to ignore MLD queries from unknown sources.

Generated by OpenCVE AI on June 17, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
Vendors & Products Zephyrproject
Zephyrproject zephyr

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.
Title Use-after-free of net_pkt in IPv6 MLD send path triggerable by a link-local MLD Query
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}


Subscriptions

Zephyrproject Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-16T15:30:22.970Z

Reserved: 2026-06-02T15:10:54.577Z

Link: CVE-2026-10637

cve-icon Vulnrichment

Updated: 2026-06-16T15:30:17.187Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T15:16:33.987

Modified: 2026-06-16T15:23:42.240

Link: CVE-2026-10637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses