Memory Corruption Issue in Zephyr's Dynamic Kernel-Object Tracking
CVE-2026-10667

7.8HIGH

Key Information:

Status
Vendor
CVE Published:
12 July 2026

What is CVE-2026-10667?

The vulnerability arises from improper synchronization in Zephyr's dynamic kernel-object tracking system, where the handling of a doubly-linked list of allocated kernel objects can lead to a use-after-free condition. Specifically, this flaw enables a race condition between iteration and modification of the object list across different CPU threads. When one CPU iterates over the list while another removes and frees nodes, it risks dereferencing freed memory, leading to potential kernel crashes or privilege escalation attacks. This critical issue impacts configurations using CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, dating back to changes introduced in 2019.

Affected Version(s)

zephyr 1.14.0 < 4.5.0

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.