CVE-2026-5072

Name of the Vulnerable Software and Affected Versions Zephyr (affected versions not specified)

Description A bitwise shift issue in the PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. By sending a crafted 'PTP MSG MANAGEMENT' message, an attacker can set an unvalidated negative log announce interval value in the port's data set. When a 'PTP MSG ANNOUNCE' message is subsequently processed, the port timer set timeout random() function computes a timeout using the operation NSEC PER SEC >> -log seconds. If the provided value is sufficiently negative, the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This may result in a system crash via a compiler-generated illegal instruction trap on certain architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.