CVE-2026-10638
The CVE describes a use-after-free in Zephyr’s ICMPv6 RX path: after sending an ICMPv6 Echo Request or an error, post-send statistics update references net_pkt_iface(reply/pkt) on a packet that may already be freed by net_try_send_data (or by the driver/L2). If CONFIG_NET_TC_TX_COUNT is 0 or the ...