Description
mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool (CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, default 4), which returns NULL when the pool is exhausted. In default builds the __ASSERT_NO_MSG in net_buf_reset is a no-op, so net_buf_simple_reset writes through the NULL pointer (buf->len = 0; buf->data = buf->__buf), causing a fault/crash. The fragment data reaches this code from attacker-controlled bytes on the MCUmgr serial/UART/shell-console transports (smp_uart.c, smp_raw_uart.c, smp_shell.c), and a fresh buffer is allocated at the start of essentially every new packet. An attacker on the serial/console link can flood the transport to drive the 4-entry buffer pool to exhaustion and induce the NULL dereference, crashing the device (denial of service). The defect was introduced after the original MCUmgr rework and shipped in Zephyr v4.4.0. The fix moves the NULL check ahead of net_buf_reset.
Published: 2026-06-29
Score: 6.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a NULL‑pointer dereference in the mcumgr_serial_process_frag function within Zephyr’s MCUmgr serial/console transport stack. When a packet is received, a buffer is allocated from a small shared pool; if the pool is exhausted the allocation returns NULL. The code then calls net_buf_reset on the NULL pointer, which causes a fault and crashes the device. The vulnerability arises when attacker‑controlled data is delivered over the serial/UART/shell‑console interfaces and floods the transport to exhaust the four‑entry buffer pool. The result is a predictable crash, providing a denial‑of‑service attack surface.

Affected Systems

The defect affects the Zephyr project’s Zephyr RTOS in its default configuration. It was introduced after the MCUmgr rework and shipped in Zephyr version 4.4.0; any builds derived from that version using the default buffer‑pool size of four entries are vulnerable. The fix moves the NULL check ahead of net_buf_reset and is available in later releases that incorporate the change.

Risk and Exploitability

The CVSS score of 6.2 reflects a moderate severity; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Nonetheless the attack vector is a local serial or console interface, which is often within reach of an attacker who can physically or remotely connect to the device. By sending a stream of packets the attacker can exhaust the limited buffer pool and trigger the crash, leading to denial of service. Because execution does not require additional privileges and the fault is deterministic, the risk to a device exposed to the serial console is significant when no mitigations are applied.

Generated by OpenCVE AI on June 30, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Zephyr patch that introduces a NULL check before resetting the buffer; the relevant commit is 6f363ec6f7fd6ae9ed7ca2ae66fd9c82dce31c59. This patch is available in newer Zephyr releases (e.g., 4.4.1 and later).
  • If the device does not require MCUmgr over the serial/console interface, disable or remove the SMP transport modules smp_uart.c, smp_raw_uart.c, and smp_shell.c to eliminate the attack surface.
  • Implement access controls on the serial/console port (e.g., use authentication, restrict physical access, or route traffic through a secure tunnel) to prevent an attacker from flooding the transport and exhausting the buffer pool.

Generated by OpenCVE AI on June 30, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool (CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, default 4), which returns NULL when the pool is exhausted. In default builds the __ASSERT_NO_MSG in net_buf_reset is a no-op, so net_buf_simple_reset writes through the NULL pointer (buf->len = 0; buf->data = buf->__buf), causing a fault/crash. The fragment data reaches this code from attacker-controlled bytes on the MCUmgr serial/UART/shell-console transports (smp_uart.c, smp_raw_uart.c, smp_shell.c), and a fresh buffer is allocated at the start of essentially every new packet. An attacker on the serial/console link can flood the transport to drive the 4-entry buffer pool to exhaustion and induce the NULL dereference, crashing the device (denial of service). The defect was introduced after the original MCUmgr rework and shipped in Zephyr v4.4.0. The fix moves the NULL check ahead of net_buf_reset.
Title NULL-pointer dereference in MCUmgr serial/console SMP transport on buffer-pool exhaustion
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-29T22:51:27.935Z

Reserved: 2026-06-02T15:11:51.742Z

Link: CVE-2026-10648

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T00:30:06Z

Weaknesses