Use-After-Free Vulnerability in Zephyr's IPv4 IGMP Implementation
CVE-2026-10636

3.7LOW

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 16 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10636?

A use-after-free vulnerability exists in Zephyr's IPv4 IGMP implementation, specifically in the igmp_send() function within the subsys/net/ip/igmp.c file. When the packet is processed, it improperly accesses a freed packet structure if the packet's last reference is released before certain operations are completed. This flaw can be triggered without authentication through incoming IPv4 IGMP membership queries and local multicast operations, leading to undefined behavior, potential denial of service, and even sporadic application crashes. The issue was introduced with IGMPv2 support and affects multiple versions of the software. A patch has been provided that caches the necessary interface pointer before the send operation.

Affected Version(s)

zephyr 2.6.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/0223e...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10636 Data

JSON