Description
A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem.
Scores
CVSS v3
6.5
EPSS
0.0002
EPSS Percentile
4.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-843
Status
published
Products (1)
zephyrproject-rtos/Zephyr
< 4.2
Published
Jan 30, 2026
Tracked Since
Feb 18, 2026