Description
In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').

The post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.

The path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).

The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.
Published: 2026-06-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A ping (ICMPv4 echo‑request) to a Zephyr device causes icmpv4_handle_echo_request() to build an echo‑reply packet and send it. After the reply packet is handed to the TX path, its reference count may reach zero and the packet memory can be freed while the code still attempts to read the packet’s interface via net_pkt_iface(reply). This use‑after‑free read can potentially dereference a stale pointer; additionally, when statistics per interface are enabled the code can write through that dangling pointer, corrupting interface statistics or causing a crash. The affected code path is the same that processes normal echo‑requests, not requiring any special privileges.

Affected Systems

Zephyr RTOS version 1.14 through 4.4.0 is affected. The vulnerability was introduced in a 2019 release and remains present up to the v4.4.0 release. The fix is included in later Zephyr releases beyond 4.4.0.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity, and the EPSS score is less than 1 %, suggesting low current exploitation likelihood. The issue is not listed in the CISA KEV catalog. The attack vector is unauthenticated remote ICMP traffic: any host that can send ICMP echo‑requests to the device can trigger the flaw. Because the race between packet send and the post‑send statistics update depends on timing, successful exploitation may be intermittent, but the potential impact is a device crash or loss of accurate interface statistics, which can be leveraged for denial‑of‑service.

Generated by OpenCVE AI on June 17, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zephyr to a fixed release version newer than 4.4.0
  • If an upgrade is not immediately possible, disable the statistics collection for ICMP with CONFIG_NET_STATISTICS_ICMP or disable CONFIG_NET_STATISTICS_PER_INTERFACE to prevent the problematic statistics update
  • As a temporary defensive measure, reduce exposure to ICMP echo‑requests (e.g., via firewall rules) so that the vulnerable code path is not invoked

Generated by OpenCVE AI on June 17, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
Vendors & Products Zephyrproject
Zephyrproject zephyr

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call'). The post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer. The path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS). The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.
Title Use-after-free reading `net_pkt_iface()` of a sent ICMPv4 echo-reply packet in `icmpv4_handle_echo_request()`
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Zephyrproject Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-16T15:29:24.876Z

Reserved: 2026-06-02T15:11:39.435Z

Link: CVE-2026-10639

cve-icon Vulnrichment

Updated: 2026-06-16T15:29:20.861Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T15:16:34.207

Modified: 2026-06-16T15:23:42.240

Link: CVE-2026-10639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T21:45:02Z

Weaknesses