CVE-2026-10636

In Zephyr's IPv4 IGMP implementation, igmp send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net pkt iface(pkt) after the packet had been handed to net send data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET TC TX COUNT=0 immediate-transmit configuration), returning the net pkt slab block to its free list. The subsequent net pkt iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG NET STATISTICS PER INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net ipv4 igmp input - send igmp report/send igmp v3 report - igmp send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld send in subsys/net/ip/ipv6 mld.c) retains the same unfixed pattern.