Memory Corruption Issue in Zephyr's Dynamic Kernel-Object Tracking
CVE-2026-10667
7.8HIGH
What is CVE-2026-10667?
The vulnerability arises from improper synchronization in Zephyr's dynamic kernel-object tracking system, where the handling of a doubly-linked list of allocated kernel objects can lead to a use-after-free condition. Specifically, this flaw enables a race condition between iteration and modification of the object list across different CPU threads. When one CPU iterates over the list while another removes and frees nodes, it risks dereferencing freed memory, leading to potential kernel crashes or privilege escalation attacks. This critical issue impacts configurations using CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, dating back to changes introduced in 2019.
Affected Version(s)
zephyr 1.14.0 < 4.5.0
