CVE-2026-10653 - Vulnerability Details

Description

The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, if (--buf->ref > 0), if (--(*ref_count))). The API is documented as self-synchronizing: callers may share one buffer across threads (e.g. via k_fifo) and each holder independently calls net_buf_unref() with no surrounding lock. Under true concurrency (SMP, or single-core preemption between the non-atomic load and store while another context unrefs the same buffer), two holders can both observe the same prior reference value and both conclude they are the last reference. For heap/variable-data pools (mem_pool_data_unref/heap_data_unref, used by zbus message subscribers, the IP stack RX/TX buffers when CONFIG_NET_BUF_FIXED_DATA_SIZE=n, capture, wireguard, ISO-TP and usbip) this produces a double k_heap_free()/k_free() of the same block -- heap-metadata corruption and a use-after-free on the heap-hardening poison pattern. For the per-header refcount the buffer is returned to the pool free LIFO twice for any pool type (including fixed-data pools used by Bluetooth and networking), corrupting the free list so a later allocation hands the same buffer to two owners. The fix converts both refcounts to atomic_inc/atomic_dec (overlaying buf->ref in an atomic_t-sized union and changing the data-block refcount from uint8_t to atomic_t). Impact is gated on genuine concurrency and on an application architecture that shares one buffer among multiple independent unref'ers; the trigger is a refcount/timing race rather than packet content, so an external attacker has at most weak indirect influence over the race window. Affects all Zephyr releases through v4.4.0.

Published: 2026-06-30

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Zephyr's network buffer library used non‑atomic operations to manipulate the per‑header reference count and the per‑data‑block reference counter. When two contexts concurrently called the unreferencing routine, each could view the same prior value and both think they were the final owner, leading to a double free or duplicate return to the buffer pool. The result is corruption of heap metadata, a use‑after‑free with heap‑hardening poison, or a corrupted free list that can hand the same buffer to multiple owners. Such memory corruption is a critical flaw that can enable an attacker to execute arbitrary code or crash the system.

Affected Systems

All Zephyr releases up through version 4.4.0 are affected. The issue is present in the Zephyr project’s network buffer library across all modules that use net_buf, including networking, Bluetooth, zbus, and USBIP.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires true concurrency, such as SMP or preemption between the non‑atomic load and store when another context releases the same buffer. An external attacker has at most indirect influence over the race window, so while the flaw is serious, successful exploitation would depend on a highly orchestrated scenario rather than a simple remote attack.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zephyrproject

zephyr

unaffected

Version	Status	Constraints
`2.7.0`	affected	< 4.5.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Zephyr source tree to a release newer than v4.4.0, where reference counts are protected with atomic operations.
Audit application code to avoid sharing net_buf objects across threads without explicit synchronization or restrict such sharing to a single thread context.
If an immediate upgrade is not feasible, disable or serialize concurrent buffer ownership in the affected components and enforce single‑threaded buffer release patterns as a temporary measure.

Generated by OpenCVE AI on June 30, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/zephyrproject-rtos/zephyr/commit/9bb2878319d5f46c29ab5fe855a378d87cd75fc3
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-284j-5jm9-55hh

History

Tue, 30 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, if (--buf->ref > 0), if (--(*ref_count))). The API is documented as self-synchronizing: callers may share one buffer across threads (e.g. via k_fifo) and each holder independently calls net_buf_unref() with no surrounding lock. Under true concurrency (SMP, or single-core preemption between the non-atomic load and store while another context unrefs the same buffer), two holders can both observe the same prior reference value and both conclude they are the last reference. For heap/variable-data pools (mem_pool_data_unref/heap_data_unref, used by zbus message subscribers, the IP stack RX/TX buffers when CONFIG_NET_BUF_FIXED_DATA_SIZE=n, capture, wireguard, ISO-TP and usbip) this produces a double k_heap_free()/k_free() of the same block -- heap-metadata corruption and a use-after-free on the heap-hardening poison pattern. For the per-header refcount the buffer is returned to the pool free LIFO twice for any pool type (including fixed-data pools used by Bluetooth and networking), corrupting the free list so a later allocation hands the same buffer to two owners. The fix converts both refcounts to atomic_inc/atomic_dec (overlaying buf->ref in an atomic_t-sized union and changing the data-block refcount from uint8_t to atomic_t). Impact is gated on genuine concurrency and on an application architecture that shares one buffer among multiple independent unref'ers; the trigger is a refcount/timing race rather than packet content, so an external attacker has at most weak indirect influence over the race window. Affects all Zephyr releases through v4.4.0.
Title		Non-atomic `net_buf` reference counts cause double-free / free-list corruption under concurrent unref
Weaknesses		CWE-415
References		https://github.com/zephyrproject-rtos/zephyr/commit/9bb2878319d5f46c29ab5fe855a378d87cd75fc3 https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-284j-5jm9-55hh
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: zephyr

Published: 2026-06-30T16:20:16.798Z

Updated: 2026-06-30T16:41:17.437Z

Reserved: 2026-06-02T15:24:26.926Z

Link: CVE-2026-10653

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T17:30:15Z

Weaknesses

CWE-415
Double Free

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object