TCP Connection Management Vulnerability in Zephyr RTOS by the Zephyr Project
CVE-2026-5590

6.4MEDIUM

Key Information:

Vendor: Zephyrproject-rtos
Status: Zephyr
Vendor: CVE Published:; 5 April 2026

🔔 Create Zephyrproject-rtos Vulnerability Alert

What is CVE-2026-5590?

A race condition arises during the teardown of TCP connections in Zephyr RTOS, which can result in the tcp_recv() function operating on a connection that has already been released. This situation occurs when tcp_conn_search() returns NULL while processing a SYN packet, leading to the dereferencing of a NULL pointer obtained from stale context data in tcp_backlog_is_full(). This flaw may ultimately cause the system to crash, underscoring the importance of prompt mitigation and updates.

Affected Version(s)

Zephyr * <= 4.3

References

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 5, 2026
Vulnerability Reserved
Apr 5, 2026

CVE-2026-5590 Data

JSON