CVE-2026-10648

Name of the Vulnerable Software and Affected Versions Zephyr version 4.4.0

Description An issue exists where the mcumgr serial process frag() function in subsys/mgmt/mcumgr/transport/src/serial util.c calls net buf reset() on the result of smp packet alloc() without first verifying if the result is NULL. The smp packet alloc() function utilizes net buf alloc(K NO WAIT) against a shared MCUmgr packet pool; when this pool is exhausted, it returns NULL. In default builds, this leads to a NULL pointer dereference during the net buf simple reset process, resulting in a system fault or crash. An attacker with access to the serial, UART, or shell-console transports can flood the transport to exhaust the buffer pool and induce a denial of service.

Recommendations Update Zephyr version 4.4.0 to a version where the NULL check is performed before calling net buf reset().