CVE-2026-10638

subsys/net/ip/icmpv6.c reads the network interface from a net pkt after that packet has been handed to net try send data(). In icmpv6 handle echo request() and net icmpv6 send error(), the post-send statistics update calls net pkt iface(reply)/net pkt iface(pkt) on the just-sent packet. The send path (net try send data - net if tx) unreferences and may free the packet back to its memory slab before returning — synchronously in the RX thread when no TX queue is configured (CONFIG NET TC TX COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net pkt iface() therefore dereferences a freed (and possibly reused) net pkt; with CONFIG NET STATISTICS PER INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG NET NATIVE IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.