CVE-2026-10667 in zephyr
Summary
by MITRE • 07/12/2026
Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj_list) of dynamically allocated kernel objects. Iteration over this list in k_object_wordlist_foreach() was performed under lists_lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree_lock in k_object_free() and obj_lock in unref_check(). On an SMP system, while one CPU iterated obj_list under lists_lock, another CPU could unlink and k_free() the dyn_obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k_object_alloc/k_object_alloc_size and k_object_release drive removals through unref_check() (under obj_lock), while k_thread_abort and thread creation drive the iteration through k_thread_perms_all_clear()/k_thread_perms_inherit() (under lists_lock). A deprivileged user thread on a CONFIG_SMP + CONFIG_USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree_lock and serializes every obj_list modification under lists_lock, including holding it across find+remove in k_object_free() and around unref_check() in k_thread_perms_clear(). Affects CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/12/2026
The vulnerability described represents a critical use-after-free condition in Zephyr's kernel object tracking mechanism that exploits race conditions between concurrent operations on a doubly-linked list structure. This flaw exists within the dynamic kernel-object tracking subsystem where kernel objects are managed through a global linked list maintained by obj_list. The implementation uses multiple spinlocks for different operations, creating a scenario where concurrent access patterns can lead to memory corruption. The vulnerability specifically affects systems configured with SMP (Symmetric Multi-Processing), userspace support, and dynamic object tracking enabled, making it particularly dangerous in multi-core environments where thread scheduling can create unpredictable race conditions.
The technical root cause stems from inconsistent lock usage patterns during list traversal operations. The k_object_wordlist_foreach() function performs iteration under lists_lock using a SAFE iterator that caches the next node pointer for performance reasons. However, when objects are removed from the list through k_object_free() or thread permission clearing operations, these removals occur under different spinlocks: objfree_lock in k_object_free() and obj_lock in unref_check(). This discrepancy creates a window where one CPU can iterate over cached nodes while another CPU simultaneously frees those same nodes, leading to dereference of freed memory. The iterator continues traversing through pointers that no longer point to valid kernel memory locations, causing undefined behavior and potential privilege escalation.
The operational impact of this vulnerability extends beyond simple denial of service to include potential privilege escalation across the userspace-kernel boundary. Unprivileged user-mode threads can trigger the race condition through legitimate system calls such as k_object_alloc, k_object_alloc_size, k_object_release, k_thread_abort, and thread creation operations. These system calls ultimately lead to either k_thread_perms_all_clear() or k_thread_perms_inherit() functions that perform list iteration under lists_lock, while simultaneously allowing object removal through unref_check() under obj_lock. The combination of these operations creates a scenario where a deprivileged user thread can corrupt kernel memory structures, potentially gaining elevated privileges or causing system instability through kernel crashes.
Mitigation strategies focus on serializing all modifications to the obj_list structure through a single consistent lock mechanism. The fix implements a comprehensive approach by removing the separate objfree_lock and ensuring that all operations modifying the object list occur under the lists_lock. This includes holding the lock across find and remove operations in k_object_free() and maintaining lock consistency around unref_check() calls in k_thread_perms_clear(). This approach eliminates the race condition by ensuring that no iteration can proceed while modifications are occurring, preventing the iterator from accessing freed memory nodes. The vulnerability affects all Zephyr versions from v1.14.0 through v4.4.0 and was introduced during a spinlockification effort in 2019, making it a long-standing issue that required significant architectural changes to resolve properly.
This vulnerability aligns with CWE-416 (Use After Free) and CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) while demonstrating characteristics consistent with ATT&CK techniques involving privilege escalation through kernel memory corruption. The flaw represents a classic example of how seemingly benign lock management decisions can create critical security vulnerabilities in concurrent systems, particularly when dealing with shared data structures that require atomic operations across multiple execution contexts.