CVE-2026-10639

In Zephyr's native IPv4 stack, icmpv4 handle echo request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net try send data(), and then, on success, calls net stats update icmp sent(net pkt iface(reply)). net try send data() transfers ownership of reply to the TX path (net if try queue tx - net if tx - L2/driver send, or the asynchronous net if tx thread), which can unref it to refcount 0 and return the struct net pkt to its slab (net pkt unref - k mem slab free) before the stats line runs. net core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call').

The post-send net pkt iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net pkt, a use-after-free read; with CONFIG NET STATISTICS PER INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer.

The path is reached unauthenticated by any remote host that pings the device (net icmpv4 input - net icmp call ipv4 handlers - icmpv4 handle echo request) and is gated on CONFIG NET STATISTICS ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS).

The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net icmpv4 send error() is not a use-after-free because it reads net pkt iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.