216.73.217.50

CVE-2026-10637

· Published 16/06/2026 17:16 · Modified 16/06/2026 15:23 · Author: The MITRE Corporation

Labels: CVE-2026-10637 2026-06-16CVE-2026-10637CWE-416[email protected]

Essential information

Published
16/06/2026 17:16
Modified
16/06/2026 15:23
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
5.9 MEDIUM (v3.1)
CISA KEV
No
CWE
CWE-416
CVSS vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

CVSS metrics

Description

subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
zephyrproject / zephyr cpe:2.3:a:zephyrproject:zephyr:*:*:*:*:*:*:*:*

References