zephyrproject zephyr up to 4.4.x subsys/net/ip/ipv6_nbr.c use after free

Summaryinfo

A vulnerability, which was classified as critical, has been found in zephyrproject zephyr up to 4.4.x. Affected is the function net_ipv6_send_na/net_ipv6_send_ns/net_ipv6_send_rs of the file subsys/net/ip/ipv6_nbr.c. Performing a manipulation results in use after free. This vulnerability is reported as CVE-2026-10640. The attacker must have access to the local network to execute the attack. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability was found in zephyrproject zephyr up to 4.4.x. It has been classified as critical. This affects the function net_ipv6_send_na/net_ipv6_send_ns/net_ipv6_send_rs of the file subsys/net/ip/ipv6_nbr.c. The manipulation with an unknown input leads to a use after free vulnerability. CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet_send - net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise). The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption. The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input - net_ipv6_send_na). Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.

The advisory is shared at github.com. This vulnerability is uniquely identified as CVE-2026-10640 since 06/02/2026. The exploitability is told to be difficult. The attack can only be done within the local network. No form of authentication is needed for exploitation. Technical details are known, but no exploit is available.

Upgrading to version 4.5.0 eliminates this vulnerability. Applying the patch aaed8332a62b0490a2f3c2cbabe272f575068eaa is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Project Management Software

Vendor

• zephyrproject

Name

• zephyr

Version

• 4.0
• 4.1
• 4.2
• 4.3
• 4.4

License

• open-source

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion