Kernel Pipe Initialization Flaw in Zephyr by Zephyr Project
CVE-2026-10671
7.1HIGH
What is CVE-2026-10671?
In the Zephyr real-time operating system, a significant flaw exists in its kernel pipe implementation, where the userspace syscall verifier incorrectly allows a user thread to reinitialize an already active pipe, leading to potential system state corruption. When a k_pipe object is re-initialized, all current reader and writer threads waiting on the pipe are left orphaned. This results in potential loss of wakeup signals, introduces data integrity issues, and may cause indefinite blocking of threads or silent data loss. A patch has been introduced to prevent user threads from invoking this harmful syscall on an initialized pipe.
Affected Version(s)
zephyr 4.1.0 < 4.5.0
