PT-2026-53912 · Zephyr · Zephyr
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-10653
CVSS v3.1
6.4
Medium
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
Zephyr versions prior to 4.4.1
Description
The
net buf library in lib/net buf/buf.c uses non-atomic C operators to manage reference counts for the per-header buf->ref and the per-data-block ref count. Because the API is designed to be self-synchronizing, allowing multiple threads to share a buffer and call net buf unref() without external locks, a race condition occurs under true concurrency. This happens when two holders observe the same reference value and both conclude they are the last reference. For heap or variable-data pools, this leads to a double free of the same block, causing heap-metadata corruption and a use-after-free. For per-header reference counts, the buffer is returned to the pool free LIFO twice, corrupting the free list and potentially assigning the same buffer to two different owners. This issue affects components such as zbus message subscribers, IP stack RX/TX buffers, capture, wireguard, ISO-TP, usbip, Bluetooth, and networking.Recommendations
Update Zephyr to version 4.4.1 or later to replace non-atomic reference count manipulations with
atomic inc and atomic dec functions.Fix
Double Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zephyr