CVE-2026-10634
MediumCVSS 4.8Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
Zephyr's TCP stack has a use-after-free vulnerability in net_tcp_foreach(). Releasing tcp_lock during callback iteration allows a concurrent thread to free the next list element, leading to dereferencing freed memory. The bug exists in the TCP2 stack from 2020 up to v4.4.0.
Risk Assessment
An attacker can remotely crash the system (denial of service) by sending TCP traffic that closes connections, triggering a race condition. If freed memory is reused, information disclosure or further faults may occur.
Recommendation
Upgrade Zephyr to a patched version (v4.4.1 or later). If upgrading is not possible, restrict access to the 'net conn' shell command and avoid network interface down events in production.
Original NVD description (English source)
Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection's reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory — a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the 'net conn' network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.

