The tcp_recv() function in subsys/net/ip/tcp.c contains a null pointer dereference vulnerability that can be triggered by a race condition:
Details
- The protocol stack releases a TCP connection via
tcp_conn_release(), which sets conn->context->tcp = NULL at line 881, and later removes the connection while holding tcp_lock (lines 911–913).
- Meanwhile, packets that have just been received for that same connection may still be processed by
tcp_recv(). The function first attempts to obtain an existing connection by calling tcp_conn_search() (line 2308), which is also protected by tcp_lock. If the removal in step 1 happens first, tcp_conn_search() returns NULL. If the packet is a SYN, the operation at line 2316 can then result in a null pointer, because user_data points to conn->context (as set in zsock_listen_ctx()). This null pointer is subsequently dereferenced by tcp_backlog_is_full() without a prior check.
Patches
main: #102110
For more information
If you have any questions or comments about this advisory:
The
tcp_recv()function insubsys/net/ip/tcp.ccontains a null pointer dereference vulnerability that can be triggered by a race condition:Details
tcp_conn_release(), which setsconn->context->tcp = NULLat line 881, and later removes the connection while holdingtcp_lock(lines 911–913).tcp_recv(). The function first attempts to obtain an existing connection by callingtcp_conn_search()(line 2308), which is also protected bytcp_lock. If the removal in step 1 happens first,tcp_conn_search()returns NULL. If the packet is a SYN, the operation at line 2316 can then result in a null pointer, becauseuser_datapoints toconn->context(as set inzsock_listen_ctx()). This null pointer is subsequently dereferenced bytcp_backlog_is_full()without a prior check.Patches
main: #102110
For more information
If you have any questions or comments about this advisory:
embargo: 2026-03-20