{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "v4.4.0"
              }
            ],
            "source": "DESCRIPTION"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "684c9e8f32e4373a21098559f748f06915f950c9"
            }
          ],
          "repo": "https://github.com/zephyrproject-rtos/zephyr",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-284j-5jm9-55hh"
  ],
  "database_specific": {
    "cna_assigner": "zephyr",
    "cwe_ids": [
      "CWE-415"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10653.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "2.7.0"
          },
          {
            "fixed": "4.5.0"
          }
        ],
        "source": "AFFECTED_FIELD"
      }
    ]
  },
  "details": "The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf-\u003eref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf-\u003eref++, if (--buf-\u003eref \u003e 0), if (--(*ref_count))).\n\nThe API is documented as self-synchronizing: callers may share one buffer across threads (e.g. via k_fifo) and each holder independently calls net_buf_unref() with no surrounding lock. Under true concurrency (SMP, or single-core preemption between the non-atomic load and store while another context unrefs the same buffer), two holders can both observe the same prior reference value and both conclude they are the last reference.\n\nFor heap/variable-data pools (mem_pool_data_unref/heap_data_unref, used by zbus message subscribers, the IP stack RX/TX buffers when CONFIG_NET_BUF_FIXED_DATA_SIZE=n, capture, wireguard, ISO-TP and usbip) this produces a double k_heap_free()/k_free() of the same block -- heap-metadata corruption and a use-after-free on the heap-hardening poison pattern.\n\nFor the per-header refcount the buffer is returned to the pool free LIFO twice for any pool type (including fixed-data pools used by Bluetooth and networking), corrupting the free list so a later allocation hands the same buffer to two owners.\n\nThe fix converts both refcounts to atomic_inc/atomic_dec (overlaying buf-\u003eref in an atomic_t-sized union and changing the data-block refcount from uint8_t to atomic_t).\n\nImpact is gated on genuine concurrency and on an application architecture that shares one buffer among multiple independent unref'ers; the trigger is a refcount/timing race rather than packet content, so an external attacker has at most weak indirect influence over the race window. Affects all Zephyr releases through v4.4.0.",
  "id": "CVE-2026-10653",
  "modified": "2026-07-16T03:31:17.475551668Z",
  "published": "2026-06-30T16:20:16.798Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/10xxx/CVE-2026-10653.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-284j-5jm9-55hh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10653"
    },
    {
      "type": "FIX",
      "url": "https://github.com/zephyrproject-rtos/zephyr/commit/9bb2878319d5f46c29ab5fe855a378d87cd75fc3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zephyrproject-rtos/zephyr"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Non-atomic `net_buf` reference counts cause double-free / free-list corruption under concurrent unref"
}