CVE-2026-10634

Zephyr's native TCP stack iterates the global connection list in net tcp foreach() (subsys/net/ip/tcp.c) using the SYS SLIST FOR EACH CONTAINER SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp conn release(), running on the dedicated TCP work-queue thread when a connection's reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k mem slab free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory — a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net tcp foreach() is reached in production via the 'net conn' network shell command and via net tcp close all for iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp conn release() inside the tcp lock critical section and keeps tcp lock held across the callback in net tcp foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.