PatchSiren cyber security CVE debrief
CVE-2026-10667 Zephyr Project CVE debrief
CVE-2026-10667 is a high-severity vulnerability in Zephyr's dynamic kernel-object tracking. The vulnerability exists in the kernel/userspace/userspace.c file, where iteration over a doubly-linked list of dynamically allocated kernel objects is performed under lists_lock, but list removal and freeing of nodes is performed under different spinlocks. This can lead to a use-after-free vulnerability, allowing for potential privilege escalation or denial of service. A deprivileged user thread on a CONFIG_SMP + CONFIG_USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption or a kernel crash. The fix removes objfree_lock and serializes every obj_list modification under lists_lock, including holding it across find+remove in k_object_free() and around unref_check() in k_thread_perms_clear().
- Vendor
- Zephyr Project
- Product
- Zephyr RTOS
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Users of Zephyr's dynamic kernel-object tracking feature, particularly those using CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and updating configurations, monitoring system calls, and applying the fix provided by the Zephyr project.
Technical summary
The vulnerability exists in the kernel/userspace/userspace.c file, where iteration over a doubly-linked list of dynamically allocated kernel objects is performed under lists_lock, but list removal and freeing of nodes is performed under different spinlocks. This can lead to a use-after-free vulnerability, allowing for potential privilege escalation or denial of service. The fix removes objfree_lock and serializes every obj_list modification under lists_lock. Affects CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations; the defect dates to the 2019 spinlockification and shipped through v4.4.0.
Defensive priority
High
Recommended defensive actions
- Apply the fix provided by the Zephyr project, which removes objfree_lock and serializes every obj_list modification under lists_lock.
- Review and update CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations to ensure they are not vulnerable.
- Monitor system calls k_object_alloc/k_object_alloc_size and k_object_release for potential exploitation attempts.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The vulnerability was introduced in 2019 and has been present in Zephyr versions since then. The fix is available in Zephyr version 4.4.1 and later. Evidence limits suggest that further verification is needed to confirm affected scope and severity. Defenders should verify system calls k_object_alloc/k_object_alloc_size and k_object_release for potential exploitation attempts. Additional review of CONFIG_SMP+CONFIG_USERSPACE+CONFIG_DYNAMIC_OBJECTS configurations is recommended.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T17:16:24.670Z and has not been modified since then.