CVE-2026-5072
Description
A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_timeout_random computes a timeout as NSEC_PER_SEC >> -log_seconds; if the attacker-supplied value is sufficiently negative (e.g., -127), the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This can cause a system crash via a compiler-generated illegal instruction trap on some architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote attacker can cause undefined behavior and potential system crash in Zephyr's PTP subsystem by sending a crafted message with an unvalidated negative log_announce_interval.
Vulnerability
A bitwise shift vulnerability exists in the Zephyr PTP subsystem. In port_timer_set_timeout_random (port.c:L107), the function computes (uint64_t)NSEC_PER_SEC >> -log_seconds. An unvalidated negative log_announce_interval value can be set via a crafted PTP_MSG_MANAGEMENT message processed by ptp_port_event_gen (port.c:L1061) and stored in the port's data set (port.c:L858). When a subsequent PTP_MSG_ANNOUNCE message triggers port_announce_msg_process (port.c:L1102), the attacker-controlled value is passed to the shift operation. If the value is sufficiently negative (e.g., -127), the shift amount exceeds 64-bit width, causing undefined behavior in C. Affected versions include Zephyr main before commit #104613, v4.3 before #108337, and v3.7 (patch pending) [1].
Exploitation
An attacker with network access to the target device sends a crafted PTP_MSG_MANAGEMENT packet to set the log_announce_interval to a large negative value (e.g., -127). Subsequently, the attacker (or any other sender) triggers a PTP_MSG_ANNOUNCE message. The PTP thread processes this message, calls port_announce_msg_process, which invokes port_timer_set_timeout_random with the attacker-controlled negative value. The shift operation NSEC_PER_SEC >> -log_seconds then executes with the excessive shift amount, leading to undefined behavior [1].
Impact
Undefined behavior from the excessive bitwise shift can manifest as a compiler-generated illegal instruction trap on some architectures, causing a system crash (Denial of Service). Alternatively, it may produce an erroneous zero timeout, resulting in resource starvation loops or other logical errors. The impact is limited to denial of service; no privilege escalation or information disclosure is indicated [1].
Mitigation
Patches are available: for Zephyr main, commit #104613; for v4.3, commit #108337; for v3.7, a patch is not yet fully specified. The recommended fix is to validate log_announce_interval and log_min_delay_req_interval against PTP specification limits (e.g., enforce a logical range such as +/-63) upon receipt in port_delay_resp_msg_process [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.