PatchSiren cyber security CVE debrief
CVE-2026-10639 zephyrproject CVE debrief
CVE-2026-10639 is a use-after-free vulnerability in Zephyr's native IPv4 stack. The vulnerability occurs when the `icmpv4_handle_echo_request` function builds an echo-reply packet, hands it to `net_try_send_data()`, and then, on success, calls `net_stats_update_icmp_sent(net_pkt_iface(reply))`. The `net_try_send_data()` function transfers ownership of the reply packet to the TX path, which can unref it to refcount 0 and return the struct `net_pkt` to its slab before the stats line runs. This results in a use-after-free read of the `reply-iface` out of a freed and possibly reallocated `net_pkt`. If `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stats macro also increments a counter through that value, leading to a possible wild-pointer write. The vulnerability can be triggered by any remote host that pings the device and is gated on `CONFIG_NET_STATISTICS_ICMP`. The impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS). The defect was introduced in 2019 (v1.14) and is present through v4.4.0.
- Vendor
- zephyrproject
- Product
- zephyr
- CVSS
- MEDIUM 4.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of Zephyr's native IPv4 stack, especially those who have enabled `CONFIG_NET_STATISTICS_ICMP` and `CONFIG_NET_STATISTICS_PER_INTERFACE`, should be aware of this vulnerability. Remote attackers can exploit this vulnerability to potentially crash the device or corrupt interface statistics.
Technical summary
The vulnerability occurs in the `icmpv4_handle_echo_request` function in `subsys/net/ip/icmpv4.c`. The function builds an echo-reply packet, hands it to `net_try_send_data()`, and then calls `net_stats_update_icmp_sent(net_pkt_iface(reply))` on success. However, `net_try_send_data()` can unref the reply packet to refcount 0 and return it to its slab before the stats line runs, resulting in a use-after-free read.
Defensive priority
High
Recommended defensive actions
- Apply the fix by caching the interface pointer from the live received packet before sending and using it for the post-send stats updates.
- Review and apply the patches provided in the references [ref-4] and [ref-5].
Evidence notes
The vulnerability was introduced in 2019 (v1.14) and is present through v4.4.0. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.
Official resources
CVE-2026-10639 was published on 2026-06-16T15:16:34.207Z and modified on 2026-06-16T15:23:42.240Z.