NULL Dereference Vulnerability in Zephyr RTOS Affecting k_thread_name_copy System Call
CVE-2026-10670
5.5MEDIUM
What is CVE-2026-10670?
The CONFIG_USERSPACE verification handler in Zephyr RTOS is vulnerable due to improper handling of user-supplied pointers in the k_thread_name_copy() system call. An unprivileged user-mode thread can pass an unregistered pointer, leading to a NULL dereference. This flaw allows untrusted user code to crash the kernel by causing a kernel-mode fault, which may result in system halts or reboots. The flaw affects builds with CONFIG_USERSPACE and CONFIG_THREAD_NAME enabled and has existed since version 2.0.0. The kernel implementation has been updated to enhance verification by checking for NULL return values from k_object_find() before dereferencing pointers.
Affected Version(s)
zephyr 2.0.0 < 4.5.0
