Memory Corruption and Denial of Service in Zephyr Networking Stack
CVE-2026-10637

5.9MEDIUM

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 16 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10637?

A vulnerability in the Zephyr Networking Stack allows for the potential corruption of memory and denial of service through a flaw in the MLD query handling process. Specifically, the issue arises when packets are processed after ownership has been transferred to the layer 2 driver, resulting in operations on freed objects. If exploited, this vulnerability can be triggered remotely, leading to a crash or erratic application behavior due to dereferenced stale pointers. The recommended fix involves caching the interface before sending, preventing any interactions with the packet post-transfer, thus enhancing stability and security.

Affected Version(s)

zephyr 1.12.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/3159c...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10637 Data

JSON