Description
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
Published: 2026-06-25
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zephyr's IPv6 network stack can be prevented from receiving or processing future packets when an attacker sends a small number of maliciously fragmented IPv6 packets. When such a packet is handled, the associated receive buffer is allocated from a memory slab but never released back to the pool. Repeating the malicious packet exhausts all receive buffers, halting the device’s ability to accept new traffic and resulting in a denial of service. This flaw is identified as a memory-management weakness, classified under CWE‑772.

Affected Systems

Zephyr RTOS (Zephyr). Specific version information is not provided in the advisory.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5 and is not listed in CISA’s Known Exploited Vulnerabilities catalog. The exploit path requires the attacker to send carefully crafted fragmented IPv6 packets to a Zephyr-based device over the network. No special privileges or local access are needed; a remote attacker can trigger the denial of service. The effect is limited to network connectivity, causing the device to stop receiving traffic once all buffers are consumed.

Generated by OpenCVE AI on June 25, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zephyr RTOS to the latest release that contains the corrected fragment header handling.
  • Configure perimeter network devices to drop or block fragmented IPv6 packets from external sources, or enforce strict fragmentation checks on inbound traffic.
  • Monitor RX buffer utilization and configure an automatic reboot or traffic throttling policy when buffer exhaustion thresholds are approached.

Generated by OpenCVE AI on June 25, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
Title net: Maliciously fragmented IPv6 packets can prevent receiving/processing future incoming packets
Weaknesses CWE-772
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-25T16:27:17.917Z

Reserved: 2026-06-25T16:13:43.055Z

Link: CVE-2026-13351

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T17:30:05Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime