CVE-2026-13351 | Zephyr's IPv6 network stack can be prevented from receiving … | CVSS 7.5 HIGH

Description

Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.

Metadata

CVE ID: CVE-2026-13351
State: PUBLISHED
Assigner: zephyr
Reserved: 2026-06-25 16:13 UTC
Published: 2026-06-25 16:27 UTC
Last updated: 2026-06-25 18:00 UTC
Primary CWE: CWE-772
Missing Release of Resource after Effective Lifetime
Vendor / Product: zephyrproject-rtos / Zephyr
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
zephyrproject-rtos	Zephyr	—	* ≤ 4.3

Weakness (CWE)

CWE	Source	Description
CWE-772	cna	Missing Release of Resource after Effective Lifetime

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-cv4q-2j56-4wqf