{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10639", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-06-02T15:11:39.435Z", "datePublished": "2026-06-16T13:22:23.165Z", "dateUpdated": "2026-06-16T15:29:24.876Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-06-16T13:27:44.366Z"}, "title": "Use-after-free reading `net_pkt_iface()` of a sent ICMPv4 echo-reply packet in `icmpv4_handle_echo_request()`", "descriptions": [{"lang": "en", "value": "In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').\n\nThe post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.\n\nThe path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).\n\nThe defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates."}], "affected": [{"vendor": "zephyrproject", "product": "zephyr", "collectionURL": "https://github.com/zephyrproject-rtos/zephyr", "packageName": "zephyr", "defaultStatus": "unaffected", "versions": [{"version": "1.14.0", "status": "affected", "lessThan": "4.5.0", "versionType": "semver"}]}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/commit/86e21665d4641f304dc3895bfb03b8f89db83291", "name": "Fix commit", "tags": ["patch"]}, {"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qhrf-w466-qmpw", "name": "GHSA-qhrf-w466-qmpw"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.8, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "use-after-free", "cweId": "CWE-416", "type": "CWE"}]}], "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-16T15:29:17.028934Z", "id": "CVE-2026-10639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-16T15:29:24.876Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-10639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-16T15:29:17.028934Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-16T15:29:20.861Z"}}], "cna": {"title": "Use-after-free reading `net_pkt_iface()` of a sent ICMPv4 echo-reply packet in `icmpv4_handle_echo_request()`", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "zephyrproject", "product": "zephyr", "versions": [{"status": "affected", "version": "1.14.0", "lessThan": "4.5.0", "versionType": "semver"}], "packageName": "zephyr", "collectionURL": "https://github.com/zephyrproject-rtos/zephyr", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/commit/86e21665d4641f304dc3895bfb03b8f89db83291", "name": "Fix commit", "tags": ["patch"]}, {"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qhrf-w466-qmpw", "name": "GHSA-qhrf-w466-qmpw"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').\n\nThe post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.\n\nThe path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).\n\nThe defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "use-after-free"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-06-16T13:27:44.366Z"}}}, "cveMetadata": {"cveId": "CVE-2026-10639", "state": "PUBLISHED", "dateUpdated": "2026-06-16T15:29:24.876Z", "dateReserved": "2026-06-02T15:11:39.435Z", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "datePublished": "2026-06-16T13:22:23.165Z", "assignerShortName": "zephyr"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').\n\nThe post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.\n\nThe path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).\n\nThe defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates."}], "id": "CVE-2026-10639", "lastModified": "2026-06-16T15:23:42.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.5, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}, "published": "2026-06-16T15:16:34.207", "references": [{"source": "vulnerabilities@zephyrproject.org", "url": "https://github.com/zephyrproject-rtos/zephyr/commit/86e21665d4641f304dc3895bfb03b8f89db83291"}, {"source": "vulnerabilities@zephyrproject.org", "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qhrf-w466-qmpw"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.14.0,4.5.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zephyr", "source": "cna", "vendor": "zephyrproject"}, "product": "zephyr", "vendor": "zephyrproject"}], "created": "2026-06-16T16:30:16.702380+00:00", "updated": "2026-06-16T16:30:16.702403+00:00", "vendors": ["zephyrproject", "zephyrproject$PRODUCT$zephyr"]}