CVE-2026-1681

# PoC for CVE-2026-1681 # Triggering stack overflow in Zephyr RTOS via self-ping # Usage: Execute this command in the Zephyr shell of the vulnerable device # Assuming the device IP is 192.168.1.100 (or any local IPv4 assigned) # The 'net ping' command sends an ICMP Echo Request to the specified address. net ping 192.168.1.100 # Expected Result: # The command triggers a recursive input path in the network stack because # the destination is the local address. This leads to a stack overflow # (Work-queue stack exhaustion). The device may crash, reboot, or hang.

{"cve": {"id": "CVE-2026-1681", "sourceIdentifier": "[email protected]", "published": "2026-05-12T07:16:09.843", "lastModified": "2026-05-12T07:16:09.843", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the resulting echo reply are processed inline before the current frame returns. The nested input-path frames exceed the work-queue stack and trigger a stack overflow."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-674"}]}], "references": [{"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-6fcc-8rwr-w7xx", "source": "[email protected]"}]}}