PT-2026-53914 · Zephyrproject · Zephyr

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-10655

CVSS v3.1

6.5

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp close async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the network socket service, without synchronizing with the socket-service poll thread.
The socket service thread polls each socket via zvfs poll, which (in zsock poll prepare ctx) registers a k poll event pointing into the socket's net context (&ctx->recv q) and then blocks in k poll without holding a reference or lock. net context objects are allocated from a fixed pool (contexts[CONFIG NET MAX CONTEXTS]) and reused after close.
When sntp close async is invoked from a different thread than the poll thread (in the in-tree consumer subsys/net/lib/config/init clock sntp.c, the SNTP timeout handler runs on the system workqueue while the socket service thread is blocked in poll on the same fd), the close frees and may reuse the net context while the poll thread still has a poller node linked into the freed object, resulting in a use-after-free / object confusion of kernel poll structures.
The SNTP timeout path is the normal no-response failure mode, so a network peer or off-path attacker who drops or delays the SNTP/NTP response can drive the racing close repeatedly (and periodically with NET CONFIG SNTP INIT RESYNC). The most likely consequence is a crash of the networking thread (denial of service), with potential memory corruption when the freed context slot is reallocated.
The fix defers the close to the socket service thread itself via net socket service close (NET SOCKET SERVICE CLOSE SOCKETS), so the same thread that polls performs the close, eliminating the race. Affected releases: v4.2.0 through v4.4.0.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10655

Affected Products

Zephyr