Zephyr · Zephyr · CVE-2026-5072
**Name of the Vulnerable Software and Affected Versions**
Zephyr (affected versions not specified)
**Description**
A bitwise shift issue in the PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. By sending a crafted 'PTP MSG MANAGEMENT' message, an attacker can set an unvalidated negative `log announce interval` value in the port's data set. When a 'PTP MSG ANNOUNCE' message is subsequently processed, the `port timer set timeout random()` function computes a timeout using the operation `NSEC PER SEC >> -log seconds`. If the provided value is sufficiently negative, the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This may result in a system crash via a compiler-generated illegal instruction trap on certain architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.