{"id":"CVE-2026-10639","summary":"Use-after-free reading `net_pkt_iface()` of a sent ICMPv4 echo-reply packet in `icmpv4_handle_echo_request()`","details":"In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').\n\nThe post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.\n\nThe path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).\n\nThe defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.","aliases":["GHSA-qhrf-w466-qmpw"],"modified":"2026-07-08T08:12:22.633808447Z","published":"2026-06-16T13:22:23.165Z","database_specific":{"cwe_ids":["CWE-416"],"unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"1.14.0"},{"fixed":"4.5.0"}]}],"cna_assigner":"zephyr","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10639.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10639.json"},{"type":"ADVISORY","url":"https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qhrf-w466-qmpw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10639"},{"type":"FIX","url":"https://github.com/zephyrproject-rtos/zephyr/commit/86e21665d4641f304dc3895bfb03b8f89db83291"},{"type":"PACKAGE","url":"https://github.com/zephyrproject-rtos/zephyr"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zephyrproject-rtos/zephyr","events":[{"introduced":"0"},{"fixed":"684c9e8f32e4373a21098559f748f06915f950c9"}],"database_specific":{"source":"DESCRIPTION","extracted_events":[{"introduced":"0"},{"fixed":"v4.4.0"}]}}],"versions":["v4.4.0-rc3","v4.4.0-rc2","v4.4.0-rc1","v4.3.0","v4.3.0-rc3","v4.3.0-rc2","v4.3.0-rc1","v4.2.0","v4.2.0-rc3","v4.2.0-rc2","v4.2.0-rc1","v4.1.0","v4.1.0-rc3","v4.1.0-rc2","v4.1.0-rc1","v4.0.0","v4.0.0-rc3","v4.0.0-rc2","v4.0.0-rc1","v3.7.0","v3.7.0-rc3","v3.7.0-rc2","v3.7.0-rc1","v3.6.0","v3.6.0-rc3","v3.6.0-rc2","v3.6.0-rc1","zephyr-v3.5.0","v3.5.0","v3.5.0-rc3","v3.5.0-rc2","v3.5.0-rc1","zephyr-v3.4.0","v3.4.0","v3.4.0-rc3","v3.4.0-rc2","v3.4.0-rc1","zephyr-v3.3.0","v3.3.0","v3.3.0-rc3","v3.3.0-rc2","v3.3.0-rc1","zephyr-v3.2.0","v3.2.0","v3.2.0-rc3","v3.2.0-rc2","v3.2.0-rc1","zephyr-v3.1.0","v3.1.0","v3.1.0-rc3","v3.1.0-rc2","v3.1.0-rc1","zephyr-v3.0.0","v3.0.0","v3.0.0-rc3","v3.0.0-rc2","v3.0.0-rc1","v2.7.99","v2.7.0-rc3","v2.7.0-rc2","v2.7.0-rc1","zephyr-v2.6.0","v2.6.0","v2.6.0-rc3","v2.6.0-rc2","v2.6.0-rc1","zephyr-v2.5.0","v2.5.0","v2.5.0-rc4","v2.5.0-rc3","v2.5.0-rc2","v2.5.0-rc1","zephyr-v2.4.0","v2.4.0","v2.4.0-rc3","v2.4.0-rc2","v2.4.0-rc1","zephyr-v2.3.0","v2.3.0","v2.3.0-rc2","v2.3.0-rc1","zephyr-v2.1.0","v2.1.0","zephyr-v2.2.0","v2.2.0","v2.2.0-rc3","v2.2.0-rc2","v2.2.0-rc1","v2.1.0-rc3","v2.1.0-rc2","v2.1.0-rc1","zephyr-v2.0.0","v2.0.0","v2.0.0-rc3","v2.0.0-rc2","v2.0.0-rc1","zephyr-v1.14.0","v1.14.0","v1.14.0-rc3","v1.14.0-rc2","v1.14.0-rc1","zephyr-v1.13.0","v1.13.0","v1.13.0-rc3","v1.13.0-rc2","v1.13.0-rc1","zephyr-v1.12.0","v1.12.0","v1.12.0-rc3","v1.12.0-rc2","v1.12.0-rc1","zephyr-v1.11.0","v1.11.0","v1.11.0-rc3","v1.11.0-rc2","v1.11.0-rc1","zephyr-v1.10.0","v1.10.0","v1.10.0-rc3","v1.10.0-rc2","v1.10.0-rc1","zephyr-v1.9.0","v1.9.0","v1.9.0-rc4","v1.9.0-rc3","v1.9.0-rc2","v1.9.0-rc1","v1.8.99","zephyr-v1.5.0","v1.5.0","v1.7.99","v1.6.99","v1.5.0-rc4","v1.5.0-rc3","v1.5.0-rc2","v1.5.0-rc1","v1.5.0-rc0","zephyr-v1.4.0","v1.4.0","v1.4.0-rc3","v1.4.0-rc2","v1.4.0-rc1","zephyr-v1.3.0","v1.3.0","v1.3.0-rc2","v1.3.0-rc1","zephyr-v1.2.0","v1.2.0","v1.2.0-rc2","v1.2.0-rc1","zephyr-v1.1.0","v1.1.0","v1.1.0-rc1","zephyr-v1.0.0","v1.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-10639.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}]}