PT-2026-57569 · Zephyrproject · Zephyr

Publicado

2026-07-12

·

Atualizado

2026-07-12

·

CVE-2026-10667

CVSS v3.1

7.8

Alta

VetorAV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj list) of dynamically allocated kernel objects. Iteration over this list in k object wordlist foreach() was performed under lists lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree lock in k object free() and obj lock in unref check(). On an SMP system, while one CPU iterated obj list under lists lock, another CPU could unlink and k free() the dyn obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k object alloc/k object alloc size and k object release drive removals through unref check() (under obj lock), while k thread abort and thread creation drive the iteration through k thread perms all clear()/k thread perms inherit() (under lists lock). A deprivileged user thread on a CONFIG SMP + CONFIG USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree lock and serializes every obj list modification under lists lock, including holding it across find+remove in k object free() and around unref check() in k thread perms clear(). Affects CONFIG SMP+CONFIG USERSPACE+CONFIG DYNAMIC OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.

Correção

Use After Free

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-10667

Produtos afetados

Zephyr