NULL Dereference Vulnerability in Zephyr RTOS Affecting k_thread_name_copy System Call
CVE-2026-10670

5.5MEDIUM

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-10670?

The CONFIG_USERSPACE verification handler in Zephyr RTOS is vulnerable due to improper handling of user-supplied pointers in the k_thread_name_copy() system call. An unprivileged user-mode thread can pass an unregistered pointer, leading to a NULL dereference. This flaw allows untrusted user code to crash the kernel by causing a kernel-mode fault, which may result in system halts or reboots. The flaw affects builds with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled and has existed since version 2.0.0. The kernel implementation has been updated to enhance verification by checking for NULL return values from k_object_find() before dereferencing pointers.

Affected Version(s)

zephyr 2.0.0 < 4.5.0

References

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.