Impact
A ping (ICMPv4 echo‑request) to a Zephyr device causes icmpv4_handle_echo_request() to build an echo‑reply packet and send it. After the reply packet is handed to the TX path, its reference count may reach zero and the packet memory can be freed while the code still attempts to read the packet’s interface via net_pkt_iface(reply). This use‑after‑free read can potentially dereference a stale pointer; additionally, when statistics per interface are enabled the code can write through that dangling pointer, corrupting interface statistics or causing a crash. The affected code path is the same that processes normal echo‑requests, not requiring any special privileges.
Affected Systems
Zephyr RTOS version 1.14 through 4.4.0 is affected. The vulnerability was introduced in a 2019 release and remains present up to the v4.4.0 release. The fix is included in later Zephyr releases beyond 4.4.0.
Risk and Exploitability
The CVSS score is 4.8, indicating moderate severity, and the EPSS score is less than 1 %, suggesting low current exploitation likelihood. The issue is not listed in the CISA KEV catalog. The attack vector is unauthenticated remote ICMP traffic: any host that can send ICMP echo‑requests to the device can trigger the flaw. Because the race between packet send and the post‑send statistics update depends on timing, successful exploitation may be intermittent, but the potential impact is a device crash or loss of accurate interface statistics, which can be leveraged for denial‑of‑service.
OpenCVE Enrichment