Denial of Service Vulnerability in Zephyr RTOS MCUmgr Component
CVE-2026-10648

6.2MEDIUM

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 29 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10648?

A vulnerability exists in the serial transport of the MCUmgr component of Zephyr RTOS, which may lead to a denial of service when exploited. The issue arises from the net_buf_reset function being called on a potentially NULL pointer, resulting from the exhaustion of the shared packet pool. An attacker can exploit this by flooding the transport layer, ultimately causing a device crash. This was introduced during the MCUmgr rework in the default build of Zephyr v4.4.0. A patch has been implemented to ensure the NULL check occurs before any reset is attempted, preventing this crash.

Affected Version(s)

zephyr 4.4.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/6f363...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10648 Data

JSON