PT-2026-53912 · Zephyr · Zephyr

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-10653

CVSS v3.1

6.4

Medium

VectorAV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Name of the Vulnerable Software and Affected Versions Zephyr versions prior to 4.4.1
Description The net buf library in lib/net buf/buf.c uses non-atomic C operators to manage reference counts for the per-header buf->ref and the per-data-block ref count. Because the API is designed to be self-synchronizing, allowing multiple threads to share a buffer and call net buf unref() without external locks, a race condition occurs under true concurrency. This happens when two holders observe the same reference value and both conclude they are the last reference. For heap or variable-data pools, this leads to a double free of the same block, causing heap-metadata corruption and a use-after-free. For per-header reference counts, the buffer is returned to the pool free LIFO twice, corrupting the free list and potentially assigning the same buffer to two different owners. This issue affects components such as zbus message subscribers, IP stack RX/TX buffers, capture, wireguard, ISO-TP, usbip, Bluetooth, and networking.
Recommendations Update Zephyr to version 4.4.1 or later to replace non-atomic reference count manipulations with atomic inc and atomic dec functions.

Fix

Double Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10653

Affected Products

Zephyr