PatchSiren cyber security CVE debrief
CVE-2026-10635 zephyrproject CVE debrief
CVE-2026-10635 is a medium-severity vulnerability in the Zephyr kernel, affecting Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU. The vulnerability arises from the page-table code maintaining a global list of active memory domains. When a domain is destroyed, its node is not removed from the list, leading to a dangling pointer. This can cause a NULL pointer dereference or, if the memory has been freed or reused, page-table memory corruption. The vulnerability is reachable only from privileged kernel/supervisor code, not directly from unprivileged user threads or remotely. Affected versions include Zephyr v4.4.0; the issue was fixed on the main branch by adding sys_slist_find_and_remove() in arch_mem_domain_deinit().
- Vendor
- zephyrproject
- Product
- zephyr
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Developers and users of the Zephyr kernel, especially those using Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, should be aware of this vulnerability. It is recommended to update to a fixed version of Zephyr to mitigate the issue.
Technical summary
The vulnerability is caused by the page-table code (arch/xtensa/core/ptables.c) not removing the domain's node from the global list xtensa_domain_list when a domain is destroyed via k_mem_domain_deinit(). This leads to a dangling pointer that can cause a NULL pointer dereference or page-table memory corruption when traversed by subsequent arch_mem_map()/arch_mem_unmap() operations.
Defensive priority
Medium
Recommended defensive actions
- Update to a fixed version of Zephyr (main branch) that includes the fix: adding sys_slist_find_and_remove() in arch_mem_domain_deinit().
- Avoid using vulnerable versions of Zephyr (e.g., v4.4.0) on Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU.
Evidence notes
CVE-2026-10635 has a CVSS score of 6.3 and is classified as MEDIUM severity. The vulnerability was published and modified on 2026-06-16T06:16:57.770Z. References include commits and advisories from the Zephyr project.
Official resources
CVE-2026-10635 was published and modified on 2026-06-16T06:16:57.770Z.