CVE-2026-13351
net: Maliciously fragmented IPv6 packets can prevent receiving/processing future incoming packets
Description
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
INFO
Published Date :
June 25, 2026, 4:27 p.m.
Last Modified :
June 25, 2026, 4:27 p.m.
Remotely Exploit :
Yes !
Source :
zephyr
Affected Products
The following products are affected by CVE-2026-13351
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | e2e69745-5e70-4e92-8431-deb5529a81ad | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Zephyr's IPv6 network stack.
- Ensure fragment header processing is secure.
- Monitor network buffer usage.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-13351 vulnerability anywhere in the article.