Platform
c
Component
zephyr
Fixed in
4.3.1
CVE-2026-5590 describes a race condition vulnerability within the Zephyr RTOS Kernel. This flaw, triggered during TCP connection teardown, can lead to a system crash due to a NULL pointer dereference. The vulnerability impacts Zephyr RTOS Kernel versions from 0.0.0 through 4.3, and a patch is available to address the issue.
The core of the vulnerability lies in how the Zephyr RTOS Kernel handles TCP connection teardown. Specifically, if tcpconnsearch() returns NULL while processing a SYN packet, the subsequent call to tcpbacklogis_full() receives a NULL pointer derived from stale context data. This NULL pointer is then dereferenced without validation, resulting in a crash. This crash can lead to denial of service, potentially impacting real-time applications and embedded systems relying on Zephyr RTOS. The severity stems from the potential for system instability and the difficulty in recovering from a kernel crash in resource-constrained environments.
CVE-2026-5590 was publicly disclosed on 2026-04-05. The vulnerability's exploitation probability is currently assessed as medium, given its complexity and the need for precise timing to trigger the race condition. No public proof-of-concept (PoC) code has been released at the time of this writing, but the detailed description suggests that exploitation is possible with sufficient expertise. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5590 is to upgrade to a patched version of the Zephyr RTOS Kernel. Consult the Zephyr Project's official release notes for the specific version containing the fix. If immediate upgrading is not feasible, consider implementing temporary workarounds such as carefully monitoring TCP connection teardown processes and implementing robust error handling to catch and gracefully manage potential NULL pointer exceptions. While not a complete solution, this can help prevent system crashes. After upgrading, confirm the fix by initiating and terminating TCP connections and verifying that no crashes or errors occur during the teardown process.
Apply the latest security update provided by the Zephyr RTOS project. This update addresses the race condition that can lead to a denial of service due to a null memory access. Refer to the release notes and upgrade instructions in the Zephyr repository for specific details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5590 is a race condition vulnerability in Zephyr RTOS Kernel versions 0.0.0–4.3. It can lead to a system crash during TCP connection teardown due to a NULL pointer dereference.
If you are using Zephyr RTOS Kernel versions between 0.0.0 and 4.3, you are potentially affected by this vulnerability. Check your system's version and upgrade if necessary.
The recommended fix is to upgrade to a patched version of Zephyr RTOS Kernel. Consult the official Zephyr Project release notes for the latest version with the fix.
There is no confirmed active exploitation of CVE-2026-5590 at this time, but the vulnerability is publicly known and could be exploited.
Refer to the Zephyr Project's official security advisories and release notes on their website for detailed information about CVE-2026-5590 and available patches.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.