Vulnerability Details CVE-2026-10637
subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab.
The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt->iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption).
The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() -> mld_send().
The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 21.8%
CVSS Severity
CVSS v3 Score 5.9
Products affected by CVE-2026-10637
-
cpe:2.3:o:zephyrproject:zephyr:1.12.0
-
cpe:2.3:o:zephyrproject:zephyr:1.13.0
-
cpe:2.3:o:zephyrproject:zephyr:1.14.0
-
cpe:2.3:o:zephyrproject:zephyr:1.14.1
-
cpe:2.3:o:zephyrproject:zephyr:1.14.2
-
cpe:2.3:o:zephyrproject:zephyr:1.14.3
-
cpe:2.3:o:zephyrproject:zephyr:2.0.0
-
cpe:2.3:o:zephyrproject:zephyr:2.1.0
-
cpe:2.3:o:zephyrproject:zephyr:2.2.0
-
cpe:2.3:o:zephyrproject:zephyr:2.3.0
-
cpe:2.3:o:zephyrproject:zephyr:2.4.0
-
cpe:2.3:o:zephyrproject:zephyr:2.5.0
-
cpe:2.3:o:zephyrproject:zephyr:2.5.1
-
cpe:2.3:o:zephyrproject:zephyr:2.6.0
-
cpe:2.3:o:zephyrproject:zephyr:2.6.1
-
cpe:2.3:o:zephyrproject:zephyr:2.7.0
-
cpe:2.3:o:zephyrproject:zephyr:2.79.0
-
cpe:2.3:o:zephyrproject:zephyr:2.8.0
-
cpe:2.3:o:zephyrproject:zephyr:2.81.0
-
cpe:2.3:o:zephyrproject:zephyr:2.82.0
-
cpe:2.3:o:zephyrproject:zephyr:2.83.0
-
cpe:2.3:o:zephyrproject:zephyr:2.84.0
-
cpe:2.3:o:zephyrproject:zephyr:2.85.0
-
cpe:2.3:o:zephyrproject:zephyr:2.86.0
-
cpe:2.3:o:zephyrproject:zephyr:2.87.0
-
cpe:2.3:o:zephyrproject:zephyr:2.88.0
-
cpe:2.3:o:zephyrproject:zephyr:2.89.0
-
cpe:2.3:o:zephyrproject:zephyr:2.90.0
-
cpe:2.3:o:zephyrproject:zephyr:2.91.0
-
cpe:2.3:o:zephyrproject:zephyr:2.92.0
-
cpe:2.3:o:zephyrproject:zephyr:2.93.0
-
cpe:2.3:o:zephyrproject:zephyr:2.94.0
-
cpe:2.3:o:zephyrproject:zephyr:2.95.0
-
cpe:2.3:o:zephyrproject:zephyr:3.0.0
-
cpe:2.3:o:zephyrproject:zephyr:3.0.1
-
cpe:2.3:o:zephyrproject:zephyr:3.1.0
-
cpe:2.3:o:zephyrproject:zephyr:3.2.0
-
cpe:2.3:o:zephyrproject:zephyr:3.2.01
-
cpe:2.3:o:zephyrproject:zephyr:3.2.1
-
cpe:2.3:o:zephyrproject:zephyr:3.2.31
-
cpe:2.3:o:zephyrproject:zephyr:3.2.40
-
cpe:2.3:o:zephyrproject:zephyr:3.2.41
-
cpe:2.3:o:zephyrproject:zephyr:3.3.0
-
cpe:2.3:o:zephyrproject:zephyr:3.4.0
-
cpe:2.3:o:zephyrproject:zephyr:3.5.0
-
cpe:2.3:o:zephyrproject:zephyr:3.6.0
-
cpe:2.3:o:zephyrproject:zephyr:3.7.0
-
cpe:2.3:o:zephyrproject:zephyr:3.7.1
-
cpe:2.3:o:zephyrproject:zephyr:3.7.2
-
cpe:2.3:o:zephyrproject:zephyr:4.0.0
-
cpe:2.3:o:zephyrproject:zephyr:4.1.0
-
cpe:2.3:o:zephyrproject:zephyr:4.2.0
-
cpe:2.3:o:zephyrproject:zephyr:4.2.1
-
cpe:2.3:o:zephyrproject:zephyr:4.3.0
-
cpe:2.3:o:zephyrproject:zephyr:4.3.1
-
cpe:2.3:o:zephyrproject:zephyr:4.4.0
-
cpe:2.3:o:zephyrproject:zephyr:4.4.1