Use-After-Free Vulnerability in Zephyr Networking Stack
CVE-2026-10638

5.9MEDIUM

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 16 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10638?

A use-after-free vulnerability in the Zephyr networking stack occurs when the system improperly handles network packets within the ICMPv6 protocol. After a packet is sent, the system may dereference a pointer to the freed packet memory, allowing an unauthenticated remote attacker to exploit this flaw. By sending crafted ICMPv6 Echo Requests or IPv6 packets, the attacker may trigger a denial of service, resulting in application crashes and potential memory corruption due to incorrect updates to interface statistics. The issue affects versions v4.2.0 through v4.4.0, and proper cache handling before sending data has been implemented in a recent fix.

Affected Version(s)

zephyr 4.2.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/09c85...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10638 Data

JSON