CVE-2026-10640

Zephyr's IPv6 Neighbor Discovery send paths (net ipv6 send na, net ipv6 send ns, net ipv6 send rs in subsys/net/ip/ipv6 nbr.c) updated the per-interface ICMP-sent statistics by calling net pkt iface(pkt) after net send data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet send - net pkt unref), so for a freshly allocated packet with refcount 1 the net pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise).

The subsequent net pkt iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG NET STATISTICS PER INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption.

The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle ns input - net ipv6 send na).

Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.