CVE-2026-10670 in zephyrinfo

Summary

by MITRE • 07/14/2026

The CONFIG_USERSPACE verification handler for the k_thread_name_copy() system call (z_vrfy_k_thread_name_copy() in kernel/thread.c) calls k_object_find() on the caller-supplied thread pointer and then dereferences the returned struct k_object without checking it for NULL. k_object_find() returns NULL whenever the supplied pointer is not a registered (static or dynamic) kernel object.

The pre-fix guard tested thread == NULL instead of ko == NULL, so an unprivileged user-mode thread that invokes k_thread_name_copy() with any non-NULL but unregistered pointer (e.g. an arbitrary address) passes the NULL test, after which the verifier reads ko->type through a NULL pointer.

Because the syscall verifier runs in supervisor mode, this NULL dereference is a kernel-mode fault that halts or reboots the system, allowing untrusted user code to crash the kernel across the userspace security boundary (denial of service). The marshaller passes the thread argument to the verifier without any prior K_SYSCALL_OBJ validation, so the bad pointer reaches the defect directly.

The flaw affects builds with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled and has been present since the special-case lookup was introduced around v2.0.0; it is present in v4.4.0 and earlier. The fix changes the guard to check the k_object_find() return value (ko == NULL) before dereferencing it.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability described represents a critical kernel-mode null pointer dereference in the Zephyr RTOS operating system that occurs during thread name copying operations. This flaw exists within the CONFIG_USERSPACE verification handler for the k_thread_name_copy() system call, specifically in the z_vrfy_k_thread_name_copy() function located in kernel/thread.c. The issue stems from inadequate validation of kernel object pointers before dereferencing them, creating a security boundary violation that allows unprivileged user-mode threads to execute code that could crash or reboot the entire system.

The technical implementation of this vulnerability involves a fundamental flaw in the verification logic where the code performs a NULL check against the thread pointer itself rather than against the kernel object structure returned by k_object_find(). When an unprivileged user-mode thread invokes k_thread_name_copy() with any non-NULL but unregistered thread pointer, the initial validation passes because thread != NULL evaluates to true. However, k_object_find() returns NULL for unregistered pointers, yet the code proceeds to dereference this NULL value through ko->type without proper validation. This creates a classic null pointer dereference condition that executes in supervisor mode, bypassing normal userspace protections.

The operational impact of this vulnerability is severe as it represents a denial-of-service attack vector that can be exploited by untrusted user code to crash the entire kernel. Since the syscall verifier operates in supervisor mode, any null pointer dereference results in a kernel-mode fault that halts or reboots the system entirely. This breach of the userspace security boundary allows malicious or compromised user processes to directly impact system stability and availability, effectively providing an attacker with a reliable method for causing system-wide disruption. The flaw has existed since version 2.0.0 and remains present in all versions through v4.4.0, making it a long-standing vulnerability affecting numerous deployments.

The mitigation strategy involves implementing proper validation of the k_object_find() return value by changing the guard condition from checking thread == NULL to checking ko == NULL before proceeding with any dereference operations. This simple but crucial fix ensures that all kernel object pointers are validated for existence before being accessed, preventing the null pointer dereference that leads to system crashes. From a cybersecurity perspective, this vulnerability aligns with CWE-476 which describes null pointer dereference issues, and represents a classic example of improper input validation that violates fundamental security principles. The ATT&CK framework categorizes this under privilege escalation and denial of service techniques, where an unprivileged user can leverage kernel-level vulnerabilities to achieve system-level disruption.

This vulnerability demonstrates the critical importance of proper kernel object validation in secure system design, particularly when implementing userspace isolation features. The flaw highlights how seemingly minor oversights in verification logic can create severe security implications that bypass fundamental protection mechanisms. Organizations using Zephyr RTOS with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled must urgently apply the fix to prevent exploitation, as the vulnerability provides no indication of an attacker's intent beyond causing system instability. The issue also underscores the need for comprehensive testing of kernel verification routines and proper validation of all object references before dereferencing in security-critical code paths.

Responsible

Zephyr

Reservation

06/02/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!