Input-Validation Flaw in Zephyr's IPv6 Neighbor Discovery Process
CVE-2026-7656

8.1HIGH

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 29 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-7656?

The vulnerability arises from a flaw in the IPv6 Neighbor Discovery handlers within Zephyr RTOS, where an erroneous boolean expression allows an attacker to manipulate legitimate Neighbor Discovery (ND) messages. Specifically, the misuse of operator precedence in the validity checks permits crafted Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages to be processed without proper validation. This bypass enables an adjacent attacker to reconfigure critical network parameters, such as routing configurations and timer settings, and conduct further attacks such as neighbor-cache poisoning. The flaw has been present in the code since its introduction and affects all versions up to 4.4.0. A fix has been implemented by refining the condition checks to ensure any failed verification results in packet rejection, thereby enhancing the security of the system.

Affected Version(s)

zephyr 1.14.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/095f0...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-7656 Data

JSON