PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10667 Zephyr Project CVE debrief

CVE-2026-10667 is a high-severity vulnerability in Zephyr's dynamic kernel-object tracking. The vulnerability exists in the kernel/userspace/userspace.c file, where iteration over a doubly-linked list of dynamically allocated kernel objects is performed under lists_lock, but list removal and freeing of nodes is performed under different spinlocks. This can lead to a use-after-free vulnerability, allowing for potential privilege escalation or denial of service. A deprivileged user thread on a CONFIG_SMP + CONFIG_USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption or a kernel crash. The fix removes objfree_lock and serializes every obj_list modification under lists_lock, including holding it across find+remove in k_object_free() and around unref_check() in k_thread_perms_clear().

Vendor
Zephyr Project
Product
Zephyr RTOS
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-12
Original CVE updated
2026-07-12
Advisory published
2026-07-12
Advisory updated
2026-07-12

Who should care

Users of Zephyr's dynamic kernel-object tracking feature, particularly those using CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and updating configurations, monitoring system calls, and applying the fix provided by the Zephyr project.

Technical summary

The vulnerability exists in the kernel/userspace/userspace.c file, where iteration over a doubly-linked list of dynamically allocated kernel objects is performed under lists_lock, but list removal and freeing of nodes is performed under different spinlocks. This can lead to a use-after-free vulnerability, allowing for potential privilege escalation or denial of service. The fix removes objfree_lock and serializes every obj_list modification under lists_lock. Affects CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations; the defect dates to the 2019 spinlockification and shipped through v4.4.0.

Defensive priority

High

Recommended defensive actions

  • Apply the fix provided by the Zephyr project, which removes objfree_lock and serializes every obj_list modification under lists_lock.
  • Review and update CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations to ensure they are not vulnerable.
  • Monitor system calls k_object_alloc/k_object_alloc_size and k_object_release for potential exploitation attempts.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The vulnerability was introduced in 2019 and has been present in Zephyr versions since then. The fix is available in Zephyr version 4.4.1 and later. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should verify system calls k_object_alloc/k_object_alloc_size and k_object_release for potential exploitation attempts. Additional review of CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations is recommended.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T17:16:24.670Z and has not been modified since then.