Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10648

CVE-2026-10648: Zephyrproject Zephyr DOS Vulnerability

CVE-2026-10648 is a denial of service vulnerability in Zephyrproject Zephyr caused by a NULL pointer dereference in mcumgr_serial_process_frag(). This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-10648 Overview

CVE-2026-10648 is a NULL pointer dereference vulnerability in the Zephyr real-time operating system (RTOS) MCUmgr serial transport. The flaw resides in mcumgr_serial_process_frag() within subsys/mgmt/mcumgr/transport/src/serial_util.c. The function calls net_buf_reset() on the result of smp_packet_alloc() before verifying the returned pointer is non-NULL. When the shared MCUmgr packet pool is exhausted, smp_packet_alloc() returns NULL, and the subsequent write dereferences a NULL pointer. An attacker with access to the serial, UART, or shell-console transport can flood the link to exhaust the four-entry buffer pool and crash the device.

Critical Impact

Attackers with local access to the MCUmgr serial transport can trigger a device crash, resulting in denial of service on affected Zephyr firmware builds.

Affected Products

  • Zephyr RTOS 4.4.0
  • Zephyr RTOS 4.4.0-rc1, rc2, rc3
  • Devices built with CONFIG_MCUMGR_TRANSPORT_SERIAL, CONFIG_MCUMGR_TRANSPORT_UART, or SMP-over-shell console

Discovery Timeline

  • 2026-06-29 - CVE-2026-10648 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-10648

Vulnerability Analysis

The defect is classified as a NULL pointer dereference [CWE-476]. The function mcumgr_serial_process_frag() allocates a network buffer through smp_packet_alloc(), which internally invokes net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool. The pool size is controlled by CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, which defaults to four buffers. When all buffers are in use, the allocator returns NULL immediately rather than blocking.

The original code called net_buf_reset() on the returned pointer before checking it for NULL. In production builds, __ASSERT_NO_MSG inside net_buf_reset compiles to a no-op, so net_buf_simple_reset proceeds to write buf->len = 0 and buf->data = buf->__buf through the NULL pointer. This triggers a memory access fault and halts the device.

Root Cause

The root cause is an ordering error: the sanity check for a NULL allocation was placed after the reset operation instead of before it. Because assertions are disabled in default builds, the invalid dereference is not caught and the fault reaches the CPU.

Attack Vector

Attacker-controlled bytes arrive from the MCUmgr serial, UART, or shell-console transports handled by smp_uart.c, smp_raw_uart.c, and smp_shell.c. A fresh buffer is allocated at the start of nearly every new packet. By flooding the transport with packet fragments, an attacker holds all four buffers in flight and forces subsequent allocations to fail, reliably triggering the NULL dereference.

c
// Patch from Zephyr commit 6f363ec6f7fd6ae9ed7ca2ae66fd9c82dce31c59
// mgmt: mcumgr: transport: Fix resetting invalid buffer

	if (rx_ctxt->nb == NULL) {
		rx_ctxt->nb = smp_packet_alloc();
-		net_buf_reset(rx_ctxt->nb);
 		if (rx_ctxt->nb == NULL) {
 			return NULL;
 		}
+		net_buf_reset(rx_ctxt->nb);
 	}

Source: Zephyr GitHub Commit 6f363ec. The fix moves the NULL check ahead of net_buf_reset(), ensuring the reset only executes on a valid buffer.

Detection Methods for CVE-2026-10648

Indicators of Compromise

  • Unexpected device resets or fault handler traces referencing net_buf_simple_reset or mcumgr_serial_process_frag.
  • Sustained bursts of MCUmgr SMP fragments on UART or shell-console interfaces preceding a crash.
  • Log entries showing smp_packet_alloc() failures or buffer pool exhaustion warnings.

Detection Strategies

  • Enable assertion builds (CONFIG_ASSERT=y) during testing to convert silent NULL writes into explicit assertion failures.
  • Instrument the MCUmgr transport to log packet allocation failures and correlate them with device restart events.
  • Monitor serial and console traffic for abnormal fragment rates that could indicate flooding against the transport.

Monitoring Recommendations

  • Track device uptime and unplanned reboot counters for embedded fleets running Zephyr 4.4.0.
  • Capture fault reports through Zephyr's coredump or logging subsystem for offline triage.
  • Alert on repeated MCUmgr session failures originating from the same physical interface.

How to Mitigate CVE-2026-10648

Immediate Actions Required

  • Apply the upstream patch from Zephyr commit 6f363ec6f7fd6ae9ed7ca2ae66fd9c82dce31c59 and rebuild affected firmware images.
  • Restrict physical and logical access to serial, UART, and shell-console interfaces exposing MCUmgr.
  • Audit firmware inventories for builds based on Zephyr 4.4.0 and its release candidates.

Patch Information

The fix is available in the Zephyr project as commit 6f363ec6f7fd6ae9ed7ca2ae66fd9c82dce31c59. Details are documented in the Zephyr Security Advisory GHSA-j64f-h3ww-f32c. Vendors shipping Zephyr-based devices should integrate the patch, rebuild firmware, and distribute updated images through their secure update channel.

Workarounds

  • Increase CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT to raise the threshold for pool exhaustion, though this only delays the condition.
  • Disable the MCUmgr serial, UART, and shell-console transports in production builds when they are not required.
  • Gate access to console interfaces behind authentication or hardware access controls where the platform supports it.
bash
# Zephyr Kconfig example: disable MCUmgr serial transports when unused
CONFIG_MCUMGR_TRANSPORT_SERIAL=n
CONFIG_MCUMGR_TRANSPORT_UART=n
CONFIG_MCUMGR_TRANSPORT_SHELL=n

# If the transport must remain enabled, enlarge the buffer pool
CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT=16

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.