PT-2026-57569 · Zephyrproject · Zephyr
Publicado
2026-07-12
·
Atualizado
2026-07-12
·
CVE-2026-10667
CVSS v3.1
7.8
Alta
| Vetor | AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj list) of dynamically allocated kernel objects. Iteration over this list in k object wordlist foreach() was performed under lists lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree lock in k object free() and obj lock in unref check(). On an SMP system, while one CPU iterated obj list under lists lock, another CPU could unlink and k free() the dyn obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k object alloc/k object alloc size and k object release drive removals through unref check() (under obj lock), while k thread abort and thread creation drive the iteration through k thread perms all clear()/k thread perms inherit() (under lists lock). A deprivileged user thread on a CONFIG SMP + CONFIG USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree lock and serializes every obj list modification under lists lock, including holding it across find+remove in k object free() and around unref check() in k thread perms clear(). Affects CONFIG SMP+CONFIG USERSPACE+CONFIG DYNAMIC OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.
Correção
Use After Free
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zephyr