Description
subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data - net_if_tx) unreferences and may free the packet back to its memory slab before returning — synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.
Published: 2026-06-16
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in Zephyr’s ICMPv6 reception path that occurs after the networking layer updates statistics for a packet that has been transmitted. A packet’s interface reference is read from a net_pkt object after it may have already been returned to the memory pool, causing the code to dereference a stale pointer and overwrite interface statistics. The vulnerability can lead to a crash and, if the memory is reused for another purpose, to memory corruption. The flaw is triggered by an unauthenticated attacker simply by sending a standard ICMPv6 Echo Request (ping) or any IPv6 packet that elicits an ICMPv6 error such as unknown next header or unreachable destination. Because the packet sent to the NIC is freed before the statistics update path runs, the attacker can reliably cause a denial‑of‑service event and potentially corrupt local memory.

Affected Systems

The affected product is Zephyr RTOS networking stack with CONFIG_NET_NATIVE_IPV6 enabled for firmware releases approximately from version 4.2.0 through 4.4.0. The flaw is present in the Zephyr Project’s open‑source kernel code base and would affect any embedded device using those Zephyr releases and the default network configuration.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderately high severity, primarily driven by the unauthorized remote nature of the attack and the local impact of service disruption or memory corruption. The EPSS score of less than 1% implies that exploitation is considered unlikely but still possible, especially in environments where the networking stack runs on exposed interfaces. The vulnerability is not included in CISA’s KEV catalogue, which further suggests that there is no widespread coordinated exploitation yet. Still, the flaw can be leveraged by any attacker who can send IPv6 traffic to the vulnerable device, making it an attractive target for denial‑of‑service attacks.

Generated by OpenCVE AI on June 17, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zephyr source to a version that includes the commit that caches the interface pointer before sending (link provided in the advisory).
  • Rebuild and redeploy the firmware on all affected devices after the update.
  • If an immediate code update is not possible, disable interface‑level statistics collection by setting CONFIG_NET_STATISTICS_PER_INTERFACE=0 or removing the statistics update code in the packet path as a temporary mitigation.

Generated by OpenCVE AI on June 17, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
Vendors & Products Zephyrproject
Zephyrproject zephyr

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data - net_if_tx) unreferences and may free the packet back to its memory slab before returning — synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.
Title Use-after-free in Zephyr ICMPv6 RX path when updating statistics after sending an echo reply or error
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Zephyrproject Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-16T15:29:52.743Z

Reserved: 2026-06-02T15:10:55.949Z

Link: CVE-2026-10638

cve-icon Vulnrichment

Updated: 2026-06-16T15:29:49.895Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T15:16:34.097

Modified: 2026-06-16T15:23:42.240

Link: CVE-2026-10638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses