{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5590", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-04-05T03:23:27.992Z", "datePublished": "2026-04-05T03:34:56.323Z", "dateUpdated": "2026-04-06T14:22:23.284Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "Zephyr", "product": "Zephyr", "repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "versions": [{"lessThanOrEqual": "4.3", "status": "affected", "version": "*", "versionType": "git"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "net: ip/tcp: Null pointer dereference can be triggered by a race condition"}], "value": "A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-04-05T03:34:56.323Z"}, "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vqm-pw24-g9jp"}], "source": {"discovery": "UNKNOWN"}, "title": "net: ip/tcp: Null pointer dereference can be triggered by a race condition", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T14:21:53.207121Z", "id": "CVE-2026-5590", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:22:23.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5590", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T14:21:53.207121Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T14:22:16.443Z"}}], "cna": {"title": "net: ip/tcp: Null pointer dereference can be triggered by a race condition", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/zephyrproject-rtos/zephyr", "vendor": "zephyrproject-rtos", "product": "Zephyr", "versions": [{"status": "affected", "version": "*", "versionType": "git", "lessThanOrEqual": "4.3"}], "packageName": "Zephyr", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vqm-pw24-g9jp"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.", "supportingMedia": [{"type": "text/html", "value": "net: ip/tcp: Null pointer dereference can be triggered by a race condition", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-04-05T03:34:56.323Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5590", "state": "PUBLISHED", "dateUpdated": "2026-04-06T14:22:23.284Z", "dateReserved": "2026-04-05T03:23:27.992Z", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "datePublished": "2026-04-05T03:34:56.323Z", "assignerShortName": "zephyr"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash."}], "id": "CVE-2026-5590", "lastModified": "2026-04-07T13:20:35.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.7, "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}, "published": "2026-04-05T04:16:16.370", "references": [{"source": "vulnerabilities@zephyrproject.org", "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vqm-pw24-g9jp"}], "sourceIdentifier": "vulnerabilities@zephyrproject.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "vulnerabilities@zephyrproject.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zephyr", "source": "cna", "vendor": "zephyrproject-rtos"}, "product": "zephyr", "vendor": "zephyrproject-rtos"}], "analysis": {"en": {"generated_at": "2026-04-05T06:21:29.207570+00:00", "value": {"mitigation_remediation": ["Apply the latest Zephyr patch that addresses the TCP teardown race condition.", "If an immediate patch is unavailable, consider disabling the TCP stack or limiting concurrent connections to reduce the chance of a race condition.", "Monitor the Zephyr project security advisories for updates and verify that the affected version is no longer present in the system."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability is reported to affect the Zephyr operating system provided by zephyrproject\u2011rtos. No specific release or version range is specified in the available CNA data; system administrators must consult the linked advisory for detailed version guidance.", "description_and_impact": "A race condition in the Zephyr TCP stack can cause the tcp_recv() routine to operate on a connection that has already been released. When tcp_conn_search() returns NULL during the processing of a SYN packet, a NULL pointer that originates from stale context data is passed to the function tcp_backlog_is_full() and dereferenced without validation. This unvalidated dereference results in a crash, terminating the Zephyr system or the affected process. The flaw aligns with CWE\u2011476, a null pointer dereference weakness. No escalation or data disclosure beyond the resulting crash is documented. The primary impact is a denial of service that can affect the availability of the embedded device or network service running Zephyr.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a moderate severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, implying no currently known exploited cases. The attack likely requires a precise race condition during TCP connection teardown, which may be triggered by a sequence of crafted network packets or concurrent traffic. Because the flaw is triggered internally within the Zephyr TCP stack, remote exploitation is not explicitly confirmed, but local or privileged users capable of creating such a race could force a crash. The overall risk is moderate, with the threat mainly being a denial of service to the target device."}}}}, "created": "2026-04-06T20:26:39.501431+00:00", "updated": "2026-04-06T21:57:14.234910+00:00", "vendors": ["zephyrproject-rtos", "zephyrproject-rtos$PRODUCT$zephyr"]}