Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-10636

Gravedad CVSS v3.1:
BAJA
Tipo:
CWE-416 Utilización después de liberación
Fecha de publicación:
16/06/2026
Última modificación:
14/07/2026

Descripción

*** Pendiente de traducción *** In Zephyr&amp;#39;s IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet&amp;#39;s last reference may already have been released by the L2 driver or by the network stack&amp;#39;s TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write.<br /> <br /> The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input -&gt; send_igmp_report/send_igmp_v3_report -&gt; igmp_send), as well as from local multicast join/leave/rejoin operations.<br /> <br /> Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse.<br /> <br /> The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:* 2.6.0 (incluyendo) 4.5.0 (excluyendo)