PatchSiren cyber security CVE debrief
CVE-2026-10638 zephyrproject CVE debrief
CVE-2026-10638 is a medium-severity denial of service vulnerability in Zephyr's networking stack. The vulnerability exists in the ICMPv6 implementation, specifically in the handling of Echo Request (ping) and error responses. When an ICMPv6 packet is sent, the code attempts to access the network interface from the packet after it has been freed, leading to a use-after-free read and potential write through an attacker-influenceable pointer. This can cause a crash and potentially lead to memory corruption.
- Vendor
- zephyrproject
- Product
- zephyr
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of Zephyr networking with CONFIG_NET_NATIVE_IPV6, specifically versions roughly between v4.2.0 and v4.4.0, should be aware of this vulnerability.
Technical summary
The vulnerability is caused by the ICMPv6 implementation's failure to cache the network interface pointer before sending the packet. This leads to a use-after-free read and potential write when trying to update statistics. An unauthenticated remote attacker can trigger this flaw by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a version of Zephyr that includes the fix, which caches the interface pointer before sending and uses it for all statistics updates.
- Avoid sending untrusted ICMPv6 packets to vulnerable systems.
Evidence notes
The vulnerability is documented in the CVE record [cve-org] and the NVD detail page [nvd]. Additional information can be found in the Zephyr project's security advisory [ref-5] and the commit that fixes the issue [ref-4].
Official resources
CVE-2026-10638 was published on 2026-06-16T15:16:34.097Z and modified on 2026-06-16T15:23:42.240Z.