A race condition in the Zephyr TCP stack can cause the tcp_recv() routine to operate on a connection that has already been released. When tcp_conn_search() returns NULL during the processing of a SYN packet, a NULL pointer that originates from stale context data is passed to the function tcp_backlog_is_full() and dereferenced without validation. This unvalidated dereference results in a crash, terminating the Zephyr system or the affected process. The flaw aligns with CWE‑476, a null pointer dereference weakness. No escalation or data disclosure beyond the resulting crash is documented. The primary impact is a denial of service that can affect the availability of the embedded device or network service running Zephyr.

The vulnerability is reported to affect the Zephyr operating system provided by zephyrproject‑rtos. No specific release or version range is specified in the available CNA data; system administrators must consult the linked advisory for detailed version guidance.

The CVSS base score of 6.4 indicates a moderate severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, implying no currently known exploited cases. The attack likely requires a precise race condition during TCP connection teardown, which may be triggered by a sequence of crafted network packets or concurrent traffic. Because the flaw is triggered internally within the Zephyr TCP stack, remote exploitation is not explicitly confirmed, but local or privileged users capable of creating such a race could force a crash. The overall risk is moderate, with the threat mainly being a denial of service to the target device.