Impact
A use‑after‑free flaw exists in Zephyr’s ICMPv6 reception path that occurs after the networking layer updates statistics for a packet that has been transmitted. A packet’s interface reference is read from a net_pkt object after it may have already been returned to the memory pool, causing the code to dereference a stale pointer and overwrite interface statistics. The vulnerability can lead to a crash and, if the memory is reused for another purpose, to memory corruption. The flaw is triggered by an unauthenticated attacker simply by sending a standard ICMPv6 Echo Request (ping) or any IPv6 packet that elicits an ICMPv6 error such as unknown next header or unreachable destination. Because the packet sent to the NIC is freed before the statistics update path runs, the attacker can reliably cause a denial‑of‑service event and potentially corrupt local memory.
Affected Systems
The affected product is Zephyr RTOS networking stack with CONFIG_NET_NATIVE_IPV6 enabled for firmware releases approximately from version 4.2.0 through 4.4.0. The flaw is present in the Zephyr Project’s open‑source kernel code base and would affect any embedded device using those Zephyr releases and the default network configuration.
Risk and Exploitability
The CVSS score of 5.9 indicates a moderately high severity, primarily driven by the unauthorized remote nature of the attack and the local impact of service disruption or memory corruption. The EPSS score of less than 1% implies that exploitation is considered unlikely but still possible, especially in environments where the networking stack runs on exposed interfaces. The vulnerability is not included in CISA’s KEV catalogue, which further suggests that there is no widespread coordinated exploitation yet. Still, the flaw can be leveraged by any attacker who can send IPv6 traffic to the vulnerable device, making it an attractive target for denial‑of‑service attacks.
OpenCVE Enrichment