CVE-2026-10635

On Xtensa targets with CONFIG USERSPACE and CONFIG XTENSA MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa domain list, of active memory domains using a list node embedded inside the caller-owned struct k mem domain. When a domain is destroyed via k mem domain deinit() - arch mem domain deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa domain list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch mem map()/arch mem unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k mem domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2 page table map writes l1 table[...] and l2 table[...], and xtensa mmu compute domain regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k mem domain deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys slist find and remove() in arch mem domain deinit(). The Xtensa MPU path is unaffected.