Vulnerabilities in zephyrproject
14 resultsCVE-2026-10640MEDIUMUse-after-free reading `net_pkt` `iface` after send in IPv6 Neighbor Discovery (`ipv6_nbr.c`)EPSS 0.4%CVE-2026-10638MEDIUMUse-after-free in Zephyr ICMPv6 RX path when updating statistics after sending an echo reply or errorEPSS 0.3%CVE-2026-10641HIGHOut-of-bounds write in Bluetooth HFP Hands-Free CIND indicator parsing (cind_handle_values)EPSS 0.3%CVE-2026-10646HIGHUse-after-return in `zsock_getaddrinfo()` when a timed-out DNS query is retried without cancellationEPSS 0.3%CVE-2026-10636LOWUse-after-free in Zephyr IPv4 IGMP send path (igmp_send)EPSS 0.3%CVE-2026-10639MEDIUMUse-after-free reading `net_pkt_iface()` of a sent ICMPv4 echo-reply packet in `icmpv4_handle_echo_request()`EPSS 0.2%CVE-2026-10637MEDIUMUse-after-free of net_pkt in IPv6 MLD send path triggerable by a link-local MLD QueryEPSS 0.2%CVE-2026-10642MEDIUMUnbounded TX busy-loop DoS in Zephyr PL011 UART driver under CTS hardware flow controlEPSS 0.2%CVE-2026-10593MEDIUMRemotely triggerable NULL-pointer dereference in Bluetooth LE Audio BAP unicast client QoS-state handlingEPSS 0.2%CVE-2026-10635MEDIUMDangling memory-domain pointer (use-after-free) in Xtensa MMU page-table code on memory-domain de-initEPSS 0.2%CVE-2026-10634MEDIUMUse-after-free in Zephyr native TCP net_tcp_foreach() due to dropping tcp_lock during the callbackEPSS 0.2%CVE-2026-10644MEDIUMOut-of-bounds write in Microchip SERCOM-G1 (PIC32CM-JH) async UART RX with 1-byte bufferEPSS 0.1%CVE-2026-10643HIGHOut-of-bounds heap write in Zephyr `recvmsg()` ancillary-data path (`insert_pktinfo` undersizes the control-buffer capacity check)EPSS 0.1%CVE-2026-10647MEDIUMDeadlock denial of service in USB CDC-NCM device class on TX enqueue failureEPSS —