PT-2026-58037 · Zephyrproject · Zephyr
Publicado
2026-07-14
·
Atualizado
2026-07-14
·
CVE-2026-10670
CVSS v3.1
5.5
Média
| Vetor | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
The CONFIG USERSPACE verification handler for the k thread name copy() system call (z vrfy k thread name copy() in kernel/thread.c) calls k object find() on the caller-supplied thread pointer and then dereferences the returned struct k object without checking it for NULL. k object find() returns NULL whenever the supplied pointer is not a registered (static or dynamic) kernel object.
The pre-fix guard tested thread == NULL instead of ko == NULL, so an unprivileged user-mode thread that invokes k thread name copy() with any non-NULL but unregistered pointer (e.g. an arbitrary address) passes the NULL test, after which the verifier reads ko->type through a NULL pointer.
Because the syscall verifier runs in supervisor mode, this NULL dereference is a kernel-mode fault that halts or reboots the system, allowing untrusted user code to crash the kernel across the userspace security boundary (denial of service). The marshaller passes the thread argument to the verifier without any prior K SYSCALL OBJ validation, so the bad pointer reaches the defect directly.
The flaw affects builds with CONFIG USERSPACE and CONFIG THREAD NAME enabled and has been present since the special-case lookup was introduced around v2.0.0; it is present in v4.4.0 and earlier. The fix changes the guard to check the k object find() return value (ko == NULL) before dereferencing it.
Correção
NULL Pointer Dereference
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zephyr