Zephyr Out-of-Bounds Memory Read Vulnerability in Network Stack ICMP Handling

A vulnerability in Zephyr's network stack allows an IPv4 packet with ICMP type 128 (Echo Request) to be incorrectly processed as an ICMPv6 Echo Request. This misclassification leads to an out-of-bounds memory read, creating a potential information leak in the networking subsystem. The issue arises from the way ICMP handlers are registered, allowing an ICMPv6 handler to be called for an IPv4 packet, which should not occur.

Impact

Exploitation of this vulnerability causes an out-of-bounds memory read, which could lead to unintended information disclosure.

Reproduction

The vulnerability can be reproduced by sending an IPv4 packet containing ICMP type 128 to a device running Zephyr version 4.1.0 or earlier. The packet will be processed by the network stack, which incorrectly calls the ICMPv6 Echo Request handler. This misrouting allows the IPv4 header to be interpreted as an IPv6 header, triggering the out-of-bounds memory read.

Remediation

Users can upgrade to Zephyr versions 4.2 or 3.7, where this vulnerability has been patched.