CVE-2026-13351
net: Maliciously fragmented IPv6 packets can prevent receiving/processing future incoming packets
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
| CWE | CWE-772 |
| Vendor | zephyrproject-rtos |
| Product | zephyr |
| Published | Jun 25, 2026 |
| Last Updated | Jun 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for zephyrproject-rtos zephyr
Be the first to know when new high vulnerabilities affecting zephyrproject-rtos zephyr are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
zephyrproject-rtos / Zephyr
* โค 4.3