CVE-2026-10648 - Critical NULL-pointer Dereference Vulnerability in MCUmgr

CVE-2026-10648 - Critical NULL-pointer Dereference Vulnerability in MCUmgr

An attacker on the serial/console link can flood the transport to drive the 4-entry buffer pool to exhaustion and induce a NULL dereference, crashing the device (denial of service) 🚨. This critical vulnerability is identified as CVE-2026-10648, a NULL-pointer dereference in MCUmgr serial/console SMP transport on buffer-pool exhaustion.

The vulnerability’s technical root cause lies within mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c, which calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. This occurs because smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool (CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, default 4), which returns NULL when the pool is exhausted.

In default builds, the __ASSERT_NO_MSG in net_buf_reset is a no-op. Consequently, net_buf_simple_reset writes through the NULL pointer (buf->len = 0; buf->data = buf->__buf), causing a fault/crash. The fragment data reaches this code from attacker-controlled bytes on the MCUmgr serial/UART/shell-console transports (smp_uart.c, smp_raw_uart.c, smp_shell.c), and a fresh buffer is allocated at the start of essentially every new packet.

The defect was introduced after the original MCUmgr rework and shipped in Zephyr v4.4.0. The official fix for this vulnerability moves the NULL check ahead of net_buf_reset.

We scan GitHub repositories to detect new proof-of-concept exploits. Following is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated). Results are limited to the first 15 repositories due to potential performance issues.

For more details, you can read the complete article here: Read full article 🌐.