CVE-2026-5590NULL Pointer Dereference in Zephyr

CWE-476NULL Pointer Dereference2 documents2 sources
Severity
6.4MEDIUMNVD
EPSS
0.0%
top 86.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zephyrproject-rtos Zephyr
Timeline
PublishedApr 5

Description

A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:HExploitability: 1.6 | Impact: 4.7

Affected Packages1 packages

CVEListV5zephyrproject-rtos/zephyr*4.3

🔴Vulnerability Details

1
CVEList
net: ip/tcp: Null pointer dereference can be triggered by a race condition2026-04-05
CVE-2026-5590 — NULL Pointer Dereference in Zephyr | cvebase