CVE-2026-10636
Gravedad CVSS v3.1:
BAJA
Tipo:
CWE-416
Utilización después de liberación
Fecha de publicación:
16/06/2026
Última modificación:
14/07/2026
Descripción
*** Pendiente de traducción *** In Zephyr&#39;s IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet&#39;s last reference may already have been released by the L2 driver or by the network stack&#39;s TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write.<br />
<br />
The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input -> send_igmp_report/send_igmp_v3_report -> igmp_send), as well as from local multicast join/leave/rejoin operations.<br />
<br />
Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse.<br />
<br />
The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.
Impacto
Puntuación base 3.x
3.70
Gravedad 3.x
BAJA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:zephyrproject:zephyr:*:*:*:*:*:*:*:* | 2.6.0 (incluyendo) | 4.5.0 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



