IPv6 Neighbor Discovery Vulnerability in Zephyr by Zephyr Project
CVE-2026-10640

4.2MEDIUM

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 16 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10640?

The IPv6 Neighbor Discovery paths in Zephyr contain a vulnerability that allows unauthenticated on-link nodes to exploit memory handling issues. Specifically, after sending ICMPv6 Neighbor Solicitation messages, incorrect handling of packet statistics can lead to a use-after-free condition, potentially resulting in corrupted statistics or a denial of service. This vulnerability affects versions from 3.3.0 to 4.4.0 of the Zephyr OS, with the exploitation risk significantly heightened due to the accessibility of the affected paths. The fix implements safer memory handling by utilizing existing interface arguments, minimizing the chance of memory corruption.

Affected Version(s)

zephyr 3.3.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/aaed8...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10640 Data

JSON