Concurrency Vulnerability in Zephyr Net_buf Library by Zephyr Project
CVE-2026-10653

6.4MEDIUM

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 30 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10653?

The Zephyr net_buf library contains a concurrency vulnerability due to the manipulation of reference counts using non-atomic operations, allowing multiple callers to possibly free the same memory block concurrently. This can lead to heap metadata corruption and use-after-free conditions when shared buffers are referenced by multiple threads. The flaw is particularly evident in applications utilizing shared buffers across unref'ers, triggering a race condition that may allow attackers to exploit the concurrency window indirectly, thereby increasing the risk of memory mismanagement. The fix involves upgrading reference counts to utilize atomic operations, effectively mitigating the risks associated with concurrent access.

Affected Version(s)

zephyr 2.7.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/9bb28...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10653 Data

JSON