PatchSiren cyber security CVE debrief
CVE-2026-10640 zephyrproject CVE debrief
CVE-2026-10640 is a MEDIUM severity vulnerability in Zephyr's IPv6 Neighbor Discovery send paths. The vulnerability is caused by a use-after-free issue when updating per-interface ICMP-sent statistics. This can lead to corrupted statistics, denial of service, or potential limited memory corruption. The vulnerability is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled.
- Vendor
- zephyrproject
- Product
- zephyr
- CVSS
- MEDIUM 4.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of Zephyr versions from v3.3.0 through v4.4.0 with CONFIG_NET_STATISTICS_PER_INTERFACE enabled should be aware of this vulnerability.
Technical summary
The vulnerability is caused by the net_ipv6_send_na, net_ipv6_send_ns, and net_ipv6_send_rs functions in subsys/net/ip/ipv6_nbr.c updating the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) has already returned successfully. This can lead to a use-after-free issue when the network stack owns and releases the packet's reference.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a version of Zephyr that includes the fix, which uses the already-available iface argument instead of touching the sent packet.
- Disable CONFIG_NET_STATISTICS_PER_INTERFACE if not required.
Evidence notes
The CVE-2026-10640 vulnerability was introduced in Zephyr version v3.3.0 and fixed in a later version. The fix uses the already-available iface argument instead of touching the sent packet.
Official resources
CVE-2026-10640 was published on 2026-06-16T15:16:34.317Z and modified on 2026-06-16T15:23:42.240Z.