Description
A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_timeout_random computes a timeout as NSEC_PER_SEC >> -log_seconds; if the attacker-supplied value is sufficiently negative (e.g., -127), the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This can cause a system crash via a compiler-generated illegal instruction trap on some architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors.
Published: 2026-05-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bitwise shift vulnerability in the Zephyr PTP subsystem allows a remote attacker to trigger undefined behavior by sending a crafted PTP_MSG_MANAGEMENT message that sets an unvalidated negative log_announce_interval value. When a later PTP_MSG_ANNOUNCE message is processed, the system calculates a timeout using a right‑shift operation that can exceed the 64‑bit integer width if the value is sufficiently negative, leading to a compiler‑generated illegal instruction trap on some architectures or an erroneous zero timeout that causes resource starvation loops.

Affected Systems

The vulnerability affects the Zephyr Real‑Time Operating System. Any Zephyr build that includes the unvalidated log_announce_interval handling in the PTP subsystem is potentially impacted, with no specific version information provided in the advisory.

Risk and Exploitability

The flaw can be exploited remotely by sending a malicious PTP_MSG_MANAGEMENT packet to a Zephyr device participating in Precision Time Protocol. Attackers must have network access to the PTP management address space and must inject the payload before an announce message is processed. The CVSS score of 6.5 indicates moderate severity, and the EPSS score is less than 1%, suggesting a low likelihood of exploitation; the vulnerability is not listed in CISA KEV. If exploited, the attacker could cause the target system to crash or enter an infinite loop, resulting in a denial of service.

Generated by OpenCVE AI on May 22, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zephyr to a release that validates log_announce_interval before performing the shift operation.
  • If PTP is not required, disable the PTP subsystem or block incoming PTP_MSG_MANAGEMENT traffic on the network interfaces.
  • Add a bounds check around log_announce_interval in custom Zephyr code to ensure it remains within a safe, non‑negative range before any shift operation is performed.

Generated by OpenCVE AI on May 22, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Fri, 22 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-682

Fri, 22 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CWE-682

Fri, 22 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Fri, 22 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_timeout_random computes a timeout as NSEC_PER_SEC >> -log_seconds; if the attacker-supplied value is sufficiently negative (e.g., -127), the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This can cause a system crash via a compiler-generated illegal instruction trap on some architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors.
Title ptp: Potential Denial of Service via PTP Interval Shift
References

Subscriptions

Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-05-22T16:27:23.708Z

Reserved: 2026-03-27T23:46:06.666Z

Link: CVE-2026-5072

cve-icon Vulnrichment

Updated: 2026-05-22T16:26:38.084Z

cve-icon NVD

Status : Received

Published: 2026-05-22T08:16:15.027

Modified: 2026-05-22T08:16:15.027

Link: CVE-2026-5072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T20:30:06Z

Weaknesses