Kernel Pipe Initialization Flaw in Zephyr by Zephyr Project
CVE-2026-10671

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-10671?

In the Zephyr real-time operating system, a significant flaw exists in its kernel pipe implementation, where the userspace syscall verifier incorrectly allows a user thread to reinitialize an already active pipe, leading to potential system state corruption. When a k_pipe object is re-initialized, all current reader and writer threads waiting on the pipe are left orphaned. This results in potential loss of wakeup signals, introduces data integrity issues, and may cause indefinite blocking of threads or silent data loss. A patch has been introduced to prevent user threads from invoking this harmful syscall on an initialized pipe.

Affected Version(s)

zephyr 4.1.0 < 4.5.0

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.