PT-2026-57569 · Zephyrproject · Zephyr

Published

2026-07-12

·

Updated

2026-07-12

·

CVE-2026-10667

CVSS v3.1

7.8

High

VectorAV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Zephyr's dynamic kernel-object tracking (kernel/userspace/userspace.c, formerly kernel/userspace.c) maintains a doubly-linked list (obj list) of dynamically allocated kernel objects. Iteration over this list in k object wordlist foreach() was performed under lists lock using the SAFE iterator (which caches the next node), but list removal and freeing of nodes was performed under different, disjoint spinlocks: objfree lock in k object free() and obj lock in unref check(). On an SMP system, while one CPU iterated obj list under lists lock, another CPU could unlink and k free() the dyn obj node that the iterator had cached as its next pointer, causing the iterator to dereference freed kernel memory (use-after-free / dangling list traversal). All of the racing operations are reachable from unprivileged user-mode threads via system calls: k object alloc/k object alloc size and k object release drive removals through unref check() (under obj lock), while k thread abort and thread creation drive the iteration through k thread perms all clear()/k thread perms inherit() (under lists lock). A deprivileged user thread on a CONFIG SMP + CONFIG USERSPACE build can therefore corrupt the kernel's object-tracking structures across the userspace security boundary, yielding kernel memory corruption (potential privilege escalation) or a kernel crash (denial of service). The fix removes objfree lock and serializes every obj list modification under lists lock, including holding it across find+remove in k object free() and around unref check() in k thread perms clear(). Affects CONFIG SMP+CONFIG USERSPACE+CONFIG DYNAMIC OBJECTS configurations; the defect dates to the 2019 spinlockification (commit 8a3d57b6cc6, first released in v1.14.0) and shipped through v4.4.0.

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10667

Affected Products

Zephyr