CVE-2026-5590 Overview
CVE-2026-5590 is a race condition in the Zephyr RTOS network stack that triggers a NULL pointer dereference during TCP connection teardown. When tcp_conn_search() returns NULL while processing an incoming SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation. The result is a crash of the affected device or service. The flaw is tracked under [CWE-476: NULL Pointer Dereference] and is exposed over the network, making it reachable by any attacker capable of sending TCP traffic to a vulnerable Zephyr-based device.
Critical Impact
A remote attacker can crash a Zephyr-based device by racing TCP teardown with new SYN packets, producing a denial-of-service condition on embedded and IoT systems.
Affected Products
- Zephyr Project RTOS (network stack, TCP implementation)
- Embedded and IoT devices built on Zephyr that expose TCP services
- Downstream products integrating the vulnerable Zephyr TCP code
Discovery Timeline
- 2026-04-05 - CVE-2026-5590 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-5590
Vulnerability Analysis
The defect resides in Zephyr's TCP receive path, specifically in the interaction between tcp_recv(), tcp_conn_search(), and tcp_backlog_is_full(). Under normal operation, tcp_conn_search() locates the connection context associated with an incoming segment. During a connection teardown that overlaps with the arrival of a new SYN packet, the connection can be released between lookup attempts. The teardown path leaves stale context references in the receive flow.
When the lookup subsequently returns NULL for the released connection, the code path still forwards a pointer derived from the stale context into tcp_backlog_is_full(). That function dereferences the pointer without checking it. The dereference faults and the network thread crashes, which on many Zephyr deployments halts the device or forces a watchdog-driven reboot.
The vulnerability is a classic concurrency defect: two valid code paths produce an invalid state when interleaved. Single-threaded testing does not reproduce it reliably, which is why the issue survived into shipped firmware.
Root Cause
The root cause is missing validation of the connection pointer after a teardown-induced lookup miss. The TCP receive logic assumes a non-NULL connection context when calling helper functions such as tcp_backlog_is_full(). Combined with the absence of synchronization between the teardown sequence and the SYN-processing path, the assumption breaks. See the GitHub Security Advisory for upstream technical detail.
Attack Vector
The vulnerability is reachable over the network. An attacker who can send TCP traffic to a Zephyr device repeatedly initiates and tears down TCP connections while injecting additional SYN packets. The attack does not require code execution on the target, but it does require timing precision to win the race window between connection release and SYN processing. Successful exploitation results in a crash and denial of service rather than code execution or data disclosure.
Detection Methods for CVE-2026-5590
Indicators of Compromise
- Unexpected reboots or watchdog resets on Zephyr-based devices correlated with inbound TCP traffic bursts.
- Crash logs or fault dumps referencing tcp_recv, tcp_conn_search, or tcp_backlog_is_full in the call stack.
- Repeated short-lived TCP connection attempts from a single source followed by service unavailability.
Detection Strategies
- Monitor network telemetry for high-rate SYN traffic targeting embedded device IP ranges, especially when paired with connection resets.
- Correlate device-side crash or reset events with upstream packet captures to identify TCP teardown race patterns.
- Inspect firmware build manifests to identify deployments running unpatched Zephyr TCP code.
Monitoring Recommendations
- Aggregate device availability and reboot telemetry from IoT fleets into a centralized log platform for anomaly detection.
- Capture full-packet traces on network segments hosting Zephyr devices when sustained service degradation is observed.
- Alert on sudden drops in heartbeat or keepalive traffic from Zephyr endpoints that may indicate exploitation.
How to Mitigate CVE-2026-5590
Immediate Actions Required
- Inventory all firmware images and devices that include the Zephyr TCP stack and identify exposed TCP services.
- Apply the upstream Zephyr fix referenced in the security advisory and rebuild affected firmware.
- Restrict network reachability of Zephyr-based devices to trusted segments until patched firmware is deployed.
Patch Information
The Zephyr Project has published a security advisory with patch details at the GitHub Security Advisory GHSA-4vqm-pw24-g9jp. Vendors integrating Zephyr should pull the corrected TCP source, rebuild firmware images, and distribute updates through their normal OTA or service channels.
Workarounds
- Place vulnerable devices behind a stateful firewall that rate-limits SYN traffic and filters connection floods.
- Disable or restrict any non-essential TCP listeners on Zephyr devices to reduce reachable attack surface.
- Where feasible, enforce TCP connection allowlists so only known peers can initiate sessions with the device.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
