Zephyr RTOS: Seven Use-After-Free Bugs Disclosed Across Network Stack and Xtensa MMU
Zephyr RTOS disclosed seven use-after-free and memory-safety vulnerabilities across its IPv4, IPv6, TCP, and Xtensa MMU subsystems, six of which stem from a systemic violation of the network stack's packet-ownership contract.
Key findings
- Six of seven CVEs share a use-after-free pattern: reading packet metadata after ownership transferred to the TX path
- CVE-2026-10635 (CVSS 6.3) is a use-after-free in Xtensa MMU domain list, the highest-severity bug in the batch
- CVE-2026-10634 is a TCP connection-list race condition triggered during iteration with lock release
- All bugs fixed in a single Zephyr security release; no evidence of in-the-wild exploitation reported
- The systemic pattern across six protocol handlers suggests a gap in code review around network stack ownership semantics
Zephyr RTOS: Seven Use-After-Free and Memory-Safety Bugs Disclosed in Networking and MMU Code
Seven medium-to-low severity vulnerabilities were disclosed together on June 15–16, 2026, in the Zephyr real-time operating system (RTOS). Six of the bugs share a common root cause: the network stack reads packet metadata — specifically the network interface — after ownership of the packet has already been transferred to the transmit path, creating a use-after-free window. The seventh flaw is a use-after-free in the Xtensa MMU page-table code that can corrupt the kernel's memory-domain list. All seven CVEs were published by the Zephyr project's security advisory process.
Use-After-Free in IPv6 Neighbor Discovery and ICMPv6
Three CVEs target the IPv6 Neighbor Discovery and ICMPv6 subsystems. CVE-2026-10640 (CVSS 4.2) affects the Neighbor Advertisement (NA), Neighbor Solicitation (NS), and Router Solicitation (RS) send paths in ipv6_nbr.c. After net_send_data(pkt) returns successfully, the code calls net_pkt_iface(pkt) to update per-interface ICMP-sent statistics — but the network stack already owns and may have released the packet. CVE-2026-10638 (CVSS 5.9) is the same pattern in icmpv6_handle_echo_request() and net_icmpv6_send_error(): the reply packet is handed to net_try_send_data(), and then the interface pointer is read from the now-possibly-freed packet. CVE-2026-10637 (CVSS 5.9) repeats the bug in the MLD (Multicast Listener Discovery) send function mld_send(). The Zephyr source code itself contains an explicit warning in net_core.c — "do not use pkt after that call" — yet all three paths violate that contract.
ICMPv4 Echo Reply and IGMP Send Paths
The same ownership violation appears in the IPv4 stack. CVE-2026-10639 (CVSS 4.8) is in icmpv4_handle_echo_request(): the echo-reply packet is built, sent via net_try_send_data(), and then net_stats_update_icmp_sent() reads the interface from the packet. CVE-2026-10636 (CVSS 3.7, Low severity) affects the IGMP send function igmp_send() in igmp.c. On the successful-send path, the L2 driver or network core may have already released the packet's last reference before the interface is read. Together these five bugs show a systemic failure to follow the network stack's ownership model across multiple protocol handlers.
TCP Connection-List Race Condition
CVE-2026-10634 (CVSS 4.8) is a different class of bug in the native TCP stack. The function net_tcp_foreach() iterates the global connection list using SYS_SLIST_FOR_EACH_CONTAINER_SAFE, which caches a pointer to the next list node. The function releases tcp_lock while invoking the per-connection callback and re-acquires it afterward. If the callback removes the current connection from the list, the cached next pointer becomes stale, leading to a use-after-free on the list traversal. This race condition can be triggered by any operation that modifies the TCP connection table during iteration.
Xtensa MMU Domain-List Use-After-Free
CVE-2026-10635 (CVSS 6.3, the highest severity in the batch) is in the Xtensa architecture's page-table code. On targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the file ptables.c maintains a global linked list of active memory domains (xtensa_domain_list) using a list node embedded inside the caller-owned struct k_mem_domain. When k_mem_domain_deinit() destroys a domain, the list node is removed — but if any other code path still holds a reference to the domain, the list pointer becomes dangling. An attacker who can trigger domain destruction while another thread iterates the list can cause memory corruption or a crash.
Patch Status and Mitigation
The Zephyr project has addressed all seven CVEs in a single security release. Users should update to the latest Zephyr version that includes the fixes. The networking bugs are fixed by moving the statistics-update calls before the packet is handed to the send path, or by caching the interface pointer beforehand. The TCP race is resolved by holding tcp_lock across the entire iteration. The Xtensa MMU fix ensures the domain list node is properly removed and that no stale references remain.
Why This Batch Matters
Zephyr is widely deployed in IoT, industrial control, and embedded systems where memory safety is critical. While none of these CVEs carry a "Critical" severity, the systemic nature of the use-after-free pattern across six different protocol handlers suggests a deeper gap in code-review practices around the network stack's ownership semantics. The Xtensa MMU bug, though architecture-specific, affects any Zephyr deployment on Xtensa hardware with userspace enabled — a growing segment as RISC-V and Xtensa-based SoCs gain traction. Users should prioritize updating to the patched release, especially for devices exposed to untrusted network traffic.