CVE-2026-7656

Name of the Vulnerable Software and Affected Versions Zephyr versions prior to 4.4.0

Description An input validation weakness exists in the IPv6 Neighbor Discovery handlers within subsys/net/ip/ipv6 nbr.c. The functions handle ra input(), handle ns input(), and handle na input() use an incorrect boolean expression when combining RFC 4861 validity checks with ICMPv6 code checks. Due to wrong operator precedence, packets with an ICMPv6 code of 0 cause the entire validation predicate to evaluate as false, allowing the system to skip mandatory checks such as the Hop Limit verification and source address validation.

This allows an adjacent on-link attacker, or potentially a remote attacker, to send forged Router Advertisement (RA), Neighbor Solicitation (NS), and Neighbor Advertisement (NA) messages. Forged RA messages can be used to reconfigure the default router, on-link prefixes (SLAAC), MTU, timers, and DNS servers. Forged NS and NA messages can lead to neighbor-cache poisoning, enabling man-in-the-middle attacks, traffic redirection, and denial of service.

Recommendations Update to version 4.4.0 or later.