PatchSiren cyber security CVE debrief
CVE-2026-10637 zephyrproject CVE debrief
CVE-2026-10637 is a remotely triggerable denial of service vulnerability in the Zephyr networking stack. The vulnerability exists in the `mld_send()` function, which reads the packet interface after `net_send_data(pkt)` has returned successfully. This is problematic because `net_send_data(pkt)` transfers ownership of the `net_pkt` to the L2 driver, which frees it upon success. As a result, the subsequent `net_pkt_iface(pkt)` call reads a freed object, leading to a potential NULL-pointer dereference or memory corruption when `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled. The vulnerability can be triggered by sending a valid MLDv2 General Query to the local link without authentication.
- Vendor
- zephyrproject
- Product
- zephyr
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of Zephyr's IPv6 MLD functionality, especially those who enable `CONFIG_NET_STATISTICS_PER_INTERFACE`, should be aware of this vulnerability. It could lead to a denial of service or, in some cases, memory corruption.
Technical summary
The vulnerability is caused by a misuse of the `net_pkt` object after it has been freed. The fix involves caching the interface in a local variable before sending the packet and not touching the packet after `net_send_data()`.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the fix from Zephyr's commit [ref-4](https://github.com/zephyrproject-rtos/zephyr/commit/3159c53e8e7d233c2a85a0798cf25ac441db6dae).
- Review and apply advisory [ref-5](https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-m23w-34pp-4h92) for additional guidance.
Evidence notes
The CVE record [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-10637) and NVD detail [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-10637) provide additional context and information about this vulnerability.
Official resources
CVE-2026-10637 was published on 2026-06-16T15:16:33.987Z and modified on 2026-06-16T15:23:42.240Z.