CVE-2026-10634 zephyrproject CVE debrief

Who should care

Users of Zephyr's native TCP stack, particularly those who utilize the 'net conn' network shell command or `net_tcp_close_all_for_iface()` on interface-down, should be aware of this vulnerability. The vulnerability can be triggered by ordinary TCP traffic.

Technical summary

The `net_tcp_foreach()` function in Zephyr's native TCP stack has a use-after-free vulnerability. The function iterates over the global connection list using `SYS_SLIST_FOR_EACH_CONTAINER_SAFE`, caching a pointer to the next list node. However, it releases `tcp_lock` while invoking the per-connection callback and re-acquires it afterwards. During this window, a concurrent `tcp_conn_release()` can remove and free the cached next connection, leading to a use-after-free condition.

Defensive priority

MEDIUM

Recommended defensive actions

• Apply the fix, which moves the connection/context teardown in `tcp_conn_release()` inside the `tcp_lock` critical section and keeps `tcp_lock` held across the callback in `net_tcp_foreach()`
• Update to a Zephyr version that includes the fix, specifically a version newer than v4.4.0

Evidence notes

The vulnerability was introduced in 2020 with the modern TCP2 stack and affects releases up to and including v4.4.0. The fix moves the connection/context teardown in `tcp_conn_release()` inside the `tcp_lock` critical section and keeps `tcp_lock` held across the callback in `net_tcp_foreach()`

Official resources