Impact
The vulnerability is a use‑after‑free in the IPv6 MLD send path of the Zephyr RTOS network stack. After a successful net_send_data(pkt) call, the packet object is released, yet the code still accesses net_pkt_iface(pkt). This read of a freed object results in a crash of the networking stack, and if the memory slot is reallocated, it can corrupt statistics counters or other data. The outcome is a denial‑of‑service of the networking subsystem and a narrow possibility of memory corruption.
Affected Systems
Affected devices run the Zephyr RTOS network stack component subsys/net/ip/ipv6_mld.c without the patch introduced in commit 3159c53e8e7d233c2a85a0798cf25ac441db6dae. Any application or system that includes Zephyr’s IPv6 MLD handling prior to that commit is susceptible. The vulnerability exists across all affected Zephyr releases listed in the advisory, but precise version bounds are not specified in the input.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate severity. The EPSS score is below 1%, implying a very low chance of exploitation in the wild. The vulnerability is available to remote attackers on the local link without authentication via a standard MLDv2 General Query message. It is not listed in the CISA KEV catalog. Attackers could send a crafted MLD query to trigger the use‑after‑free, causing the router or device to crash and lose network availability, but would not gain other privileges.
OpenCVE Enrichment