Description
The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator precedence: the form was '((length/hop/source/target checks) && (icmp_hdr-code != 0))'. Because every legitimate ND message carries ICMPv6 code 0, an attacker setting code == 0 (the normal value) caused the entire predicate to evaluate false, so the packet was never dropped and all of the other checks were silently skipped. The bypassed checks include the mandatory Hop Limit == 255 verification (which proves an ND packet originated on-link and was not forwarded) and, for Router Advertisements, the requirement that the source be a link-local address, as well as multicast-target sanity checks. As a result, an adjacent on-link attacker — and, because the Hop-Limit-255 guard is bypassed, potentially a remote/off-link attacker whose packets would otherwise be rejected — can have forged Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages accepted. A forged RA lets the attacker reconfigure the victim's default router, on-link prefixes (SLAAC), MTU, reachable/retransmit timers, and (with CONFIG_NET_IPV6_RA_RDNSS) DNS servers, while forged NS/NA enable neighbor-cache poisoning, enabling man-in-the-middle, traffic redirection, and denial of service. The flaw is an input-validation/authentication weakness rather than a memory-safety issue: the underlying packet-parsing primitives (net_pkt_get_data, net_pkt_read, net_pkt_skip) are independently bounds-safe and the validated 'length' is the true buffer length, so skipping the length check causes no out-of-bounds access. The defect has existed since the logic was introduced in 2018 and shipped in all releases through v4.4.0; it is fixed by splitting the condition so any failing check drops the packet.
Published: 2026-06-29
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Zephyr RTOS IPv6 Neighbor Discovery handlers, where a Boolean expression incorrectly merges RFC 4861 validity checks with an ICMPv6 code comparison. Because every legitimate ND message carries code 0, the expression evaluates to false and bypasses mandatory checks such as hop-limit 255 and source-address validation. As a result, crafted Router Advertisements, Neighbor Solicitations, and Neighbor Advertisements are accepted without proper authentication. An attacker can thus reconfigure the victim’s default router, on-link prefixes, MTU, timers, and, with DNS-server reconfiguration enabled, alter DNS resolution. Fabricated NS/NA messages can poison the neighbor cache, enabling man-in-the-middle attacks, traffic diversion, and denial-of-service.

Affected Systems

Affected systems are all Zephyr RTOS releases up to and including version 4.4.0, where the flawed logic was first introduced in 2018 and remained uncorrected. The defect is present in the IPv6 Neighbor Discovery implementation located in subsys/net/ip/ipv6_nbr.c.

Risk and Exploitability

The risk is high: the CVSS score is 8.1, and the exploit does not depend on memory corruption or privilege escalation. EPSS information is not available, and the issue is not listed in CISA’s KEV catalog. An attacker only needs the ability to generate crafted ICMPv6 packets and can exploit the flaw from an adjacent on-link host; because the hop-limit check is bypassed, a remote off-link attacker can also succeed by spoofing packets. The attack is a network-level privilege escalation that compromises confidentiality, integrity, and availability of the target device and potentially the network segment it serves.

Generated by OpenCVE AI on June 30, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zephyr to any release newer than v4.4.0; the patch is included in commit 095f064c and all subsequent releases.
  • If an upgrade cannot be performed immediately, enable strict Neighbor Discovery validation in the Zephyr network stack by enforcing hop limit 255 and source-address checks for Router Advertisements, or temporarily disable RA/NS/NA processing.
  • Deploy a network-layer filter or firewall rule that drops or logs suspicious RA, NS, and NA packets, and monitor for anomalous Neighbor Discovery traffic to detect exploitation attempts.

Generated by OpenCVE AI on June 30, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator precedence: the form was '((length/hop/source/target checks) && (icmp_hdr-code != 0))'. Because every legitimate ND message carries ICMPv6 code 0, an attacker setting code == 0 (the normal value) caused the entire predicate to evaluate false, so the packet was never dropped and all of the other checks were silently skipped. The bypassed checks include the mandatory Hop Limit == 255 verification (which proves an ND packet originated on-link and was not forwarded) and, for Router Advertisements, the requirement that the source be a link-local address, as well as multicast-target sanity checks. As a result, an adjacent on-link attacker — and, because the Hop-Limit-255 guard is bypassed, potentially a remote/off-link attacker whose packets would otherwise be rejected — can have forged Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages accepted. A forged RA lets the attacker reconfigure the victim's default router, on-link prefixes (SLAAC), MTU, reachable/retransmit timers, and (with CONFIG_NET_IPV6_RA_RDNSS) DNS servers, while forged NS/NA enable neighbor-cache poisoning, enabling man-in-the-middle, traffic redirection, and denial of service. The flaw is an input-validation/authentication weakness rather than a memory-safety issue: the underlying packet-parsing primitives (net_pkt_get_data, net_pkt_read, net_pkt_skip) are independently bounds-safe and the validated 'length' is the true buffer length, so skipping the length check causes no out-of-bounds access. The defect has existed since the logic was introduced in 2018 and shipped in all releases through v4.4.0; it is fixed by splitting the condition so any failing check drops the packet.
Title Broken IPv6 Neighbor Discovery input validation allows spoofed RA/NS/NA acceptance in Zephyr net stack
Weaknesses CWE-290
CWE-670
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-29T22:09:10.460Z

Reserved: 2026-05-01T18:40:20.792Z

Link: CVE-2026-7656

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T00:45:04Z

Weaknesses
  • CWE-290

    Authentication Bypass by Spoofing

  • CWE-670

    Always-Incorrect Control Flow Implementation