CVE-2026-10637

subsys/net/ip/ipv6 mld.c:mld send() read the packet interface via net pkt iface(pkt) after net send data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net core.h, and the explicit warning in subsys/net/ip/net core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net pkt and the L2 driver frees it (e.g. ethernet send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k mem slab. The subsequent net pkt iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net stats.h UPDATE STAT/SET STAT) when CONFIG NET STATISTICS PER INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle mld query() (registered for NET ICMPV6 MLD QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send mld report() - mld send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net send data(). The IPv4/IGMP sibling (igmp send) already used the corrected pattern.