PatchSiren cyber security CVE debrief
CVE-2026-5072 zephyrproject-rtos CVE debrief
CVE-2026-5072 is a remotely reachable denial-of-service issue in Zephyr's PTP subsystem. A crafted PTP_MSG_MANAGEMENT message can set an unvalidated negative log_announce_interval value, and later processing of a PTP_MSG_ANNOUNCE message can drive an invalid right-shift in timeout calculation. Because the shift amount can exceed the width of the integer type, the behavior is undefined in C and may crash the system or produce incorrect timer values.
- Vendor
- zephyrproject-rtos
- Product
- Zephyr
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-22
Who should care
Zephyr maintainers, embedded product teams using Zephyr PTP, system integrators shipping time-synchronization features, and operators of devices exposed to untrusted network traffic on timing interfaces.
Technical summary
The supplied description says the vulnerable path accepts a negative log_announce_interval via a management message without sufficient validation. When port_timer_set_timeout_random later computes NSEC_PER_SEC >> -log_seconds, a sufficiently negative value can create an oversized shift count. In C, that is undefined behavior; depending on compiler and architecture, it may trap with an illegal instruction, crash the process, or yield a zero timeout that disrupts scheduling or timer behavior.
Defensive priority
High for deployments where the Zephyr PTP subsystem is enabled and reachable by untrusted peers; the impact is denial of service and potentially unstable timer logic.
Recommended defensive actions
- Apply the Zephyr fix or vendor update that adds bounds checking for log_announce_interval and the derived shift value.
- Limit exposure of PTP management and announce traffic to trusted, isolated network segments.
- If PTP is not required, disable the subsystem or related management functionality in affected builds.
- Monitor affected devices for unexpected crashes, resets, or timer starvation symptoms after PTP traffic is received.
- Review code paths that transform protocol values into shift counts and add explicit range validation before bitwise operations.
Evidence notes
The NVD record for CVE-2026-5072 is marked Received and references the Zephyr Project security advisory GHSA-3v98-458v-388r. The supplied vulnerability description states that a crafted PTP_MSG_MANAGEMENT message can set a negative log_announce_interval, and a later PTP_MSG_ANNOUNCE message can trigger undefined right-shift behavior in port_timer_set_timeout_random. This debrief relies only on the provided CVE description and official reference links.
Official resources
-
CVE-2026-5072 CVE record
CVE.org
-
CVE-2026-5072 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Publicly disclosed in the supplied CVE record on 2026-05-22T08:16:15.027Z, with the NVD entry referencing a Zephyr Project security advisory.