PT-2026-58037 · Zephyrproject · Zephyr

Publicado

2026-07-14

·

Atualizado

2026-07-14

·

CVE-2026-10670

CVSS v3.1

5.5

Média

VetorAV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
The CONFIG USERSPACE verification handler for the k thread name copy() system call (z vrfy k thread name copy() in kernel/thread.c) calls k object find() on the caller-supplied thread pointer and then dereferences the returned struct k object without checking it for NULL. k object find() returns NULL whenever the supplied pointer is not a registered (static or dynamic) kernel object.
The pre-fix guard tested thread == NULL instead of ko == NULL, so an unprivileged user-mode thread that invokes k thread name copy() with any non-NULL but unregistered pointer (e.g. an arbitrary address) passes the NULL test, after which the verifier reads ko->type through a NULL pointer.
Because the syscall verifier runs in supervisor mode, this NULL dereference is a kernel-mode fault that halts or reboots the system, allowing untrusted user code to crash the kernel across the userspace security boundary (denial of service). The marshaller passes the thread argument to the verifier without any prior K SYSCALL OBJ validation, so the bad pointer reaches the defect directly.
The flaw affects builds with CONFIG USERSPACE and CONFIG THREAD NAME enabled and has been present since the special-case lookup was introduced around v2.0.0; it is present in v4.4.0 and earlier. The fix changes the guard to check the k object find() return value (ko == NULL) before dereferencing it.

Correção

NULL Pointer Dereference

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-10670

Produtos afetados

Zephyr