Zephyr v4.4.0 was released on April 14, 2026. BayLibre contributed 256 authored commits spanning cryptography, ARM64 architecture, LoRa/LoRaWAN, and driver support.
Cryptography: Mbed TLS 4.x and TF-PSA-Crypto 1.x
Valerio Setti led the integration of Mbed TLS 4.1 and TF-PSA-Crypto 1.1 into Zephyr. For the time being Mbed TLS 3.6 is retained only for compatibility reasons, because TF-M is still at v2.2 revision, and it will be removed once TF-M will transition to v2.3. The CMake build was completely reshaped to use add_subdirectory() against Mbed TLS and TF-PSA-Crypto’s own CMake files rather than manually selecting sources. Configuration was split into separate Kconfig files, one for each module. Several Kconfig options related to legacy Mbed TLS crypto were removed. Configuration header files have been strongly simplified moving most of the logic at Kconfig level. New Kconfigs for TLS ciphersuites have been added in order to allow the end user to quickly select all the crypto features they need for a TLS connection.
The mbedtls_shim crypto driver was overhauled. Legacy cipher (ECB, CBC), AEAD (CCM, GCM) and hash APIs were replaced with the PSA API.
OpenThread, JWT, HostAP, MCUboot, flash-map, websocket and all samples and tests (1 and 2) were transitioned to use PSA Crypto API instead of legacy Mbed TLS crypto.
Since PSA API does not support (yet) parsing of Elliptic Curve points in compressed format, specific code was added to the uoscore-uedhoc library to overcome this limitation.
A mechanism for automatic enablement of CONFIG_ENTROPY_GENERATOR was added in Random subsystem in order to simplify end user configuration file. A run time deadloop for entropy gathering was also fixed.
ARM64: ARMv9-A Architecture and Security Extensions
Nicolas Pitre added ARMv9-A architecture support with Cortex-A510 as the default processor for generic ARMv9-A targets.
Pointer Authentication (PAC) was added for ARMv8.3+ to protect against ROP attacks, with per-thread key isolation and integration with Zephyr’s thread model. A follow-on fix addressed a crash on SMP secondary CPUs when PAC is enabled. Branch Target Identification (BTI) was added for ARMv8.5+ to protect against JOP attacks. BTI requires the C library to be built with branch protection enabled; Nicolas added the arm*: BTI requires C library built with branch protection check to enforce this. ARM_PAC_PER_THREAD RNG dependency handling was also improved.
SVE context switching was implemented for ARMv9-A, supporting both SVE and SVE2 with lazy context preservation. The implementation is incremental: threads using only FPU instructions get NEON access and preservation; upgrading to SVE instructions upgrades the NEON context to full SVE context from that point on. An ISB was added between SVE trap control and ZCR register writes. CONFIG_ARM64_SVE is now disabled for ARMv9-A when explicitly set to n, and ARM64 stack sizes for userspace with FPU and MAX_XLAT_TABLES for userspace tests were increased to accommodate.
The ARM64 MMU gained arch_mem_domain_deinit() to release page tables back to the pool when a memory domain is de-initialized, using the existing discard_table() mechanism to recursively free sub-tables.
FVP board support was restructured into a unified fvp_base_revc_2xaem board with a common SoC series, adding ARMv9-A variants: v9a, v9a/smp, and v9a/smp/ns (with TFA). Cortex-A320 was added as a board variant. A PM CPU ops driver for Arm FVP enables bare metal SMP without ATF by configuring RVBAR_EL3 to redirect secondary CPU reset vectors to Zephyr’s image header.
Kernel: Heap Hardening and SMP Timer Fixes
CONFIG_SYS_HEAP_CANARIES was introduced to place canary values at the end of each allocation, validated on free. The canary is computed from chunk address and size XORed with a magic value and stored as a trailer to avoid complicating aligned allocation. This was then superseded by the SYS_HEAP_HARDENING tiered Kconfig with five levels: NONE, BASIC (double-free and overflow detection), MODERATE (free list and neighbor consistency), FULL (trailer canary on every allocation), and EXTREME (exhaustive heap validation on every operation). Hardening checks use LOG_ERR + k_panic() rather than __ASSERT, so the configured level is honored regardless of assertion settings.
Z_HEAP_MIN_SIZE was previously defined as hardcoded magic numbers gated by a growing tower of #ifdefs. Nicolas replaced this with build-time computation from the actual C structures using an iterative fixed-point expansion. The underlying infrastructure is a new zephyr_constants_library() CMake function that encapsulates the offsets-style pattern: creating an OBJECT library from GEN_ABSOLUTE_SYM() declarations and generating a header from the resulting symbols.
sys_clock_lock() and sys_clock_announce_locked() were introduced in kernel/timeout to provide a unified timer lock API. The arm_arch_timer, apic_tsc, hpet, xtensa_sys_timer, riscv_machine_timer, and intel_adsp_timer drivers were all migrated to this API, eliminating a race on SMP where sys_clock_elapsed() could observe an updated last_cycle before sys_clock_announce() had advanced curr_tick.
LoRa and LoRaWAN
Carlo Caione restructured the LoRaWAN subsystem and extended the LoRa driver layer.
The LoRaWAN subsystem was refactored to support multiple backends. The loramac-node backend was moved to a subdirectory, directories were renamed to hyphenated form (loramac-node, lora-basics-modem), and region Kconfig symbols were made backend-agnostic.
A native SX126x driver for Semtech SX1261/SX1262 was added that does not depend on loramac-node or lora-basics-modem, enabled by CONFIG_LORA_MODULE_BACKEND_NONE (experimental). The driver was extended with STM32WL sub-GHz radio support for the STM32WL’s internally-integrated SX126x-compatible radio core. Sleep mode power management was added with a PM_DEVICE callback that disconnects RF GPIO pins on suspend and reconfigures them on resume.
Two new API functions were added to the LoRa API: lora_cad() and lora_cad_async() for Channel Activity Detection (with symbol_num, det_peak, and det_min parameters embedded in struct lora_modem_config), and lora_recv_duty_cycle() for hardware-driven RX duty cycling where the radio autonomously alternates between sleep and listening for a preamble without MCU involvement.
The lora-basics-modem module received an initial smtc_modem_hal HAL implementation covering the LoRa Basics Modem HAL layer (Radio Driver HAL and RAL BSP were already handled by the lbm_sx126x drivers). The LBM porting test suite was integrated as a Zephyr test. Remaining HAL stub functions were also added.
Carlo also added a DeviceMmioCheck CI compliance check to check_compliance.py that flags driver files casting DT_REG_ADDR() or DT_INST_REG_ADDR() directly to a pointer without using the device MMIO API — an access pattern that faults on MMU-enabled systems.
Drivers: Microcrystal RV3032
Stoyan Bogdanov added multi-function support for the Microcrystal RV-3032-C7 RTC by introducing an MFD driver to centralize I2C access and interrupt arbitration. The existing RTC driver was reworked to use the MFD parent, allowing parts of the chip that did not fit the RTC API to be exposed through separate drivers.
Three child drivers were added: a counter driver exposing the RV3032’s hardware timer via the counter API, a temperature sensor driver reporting from the chip’s internal sensor with high/low threshold interrupt support, and updated Devicetree bindings. Tests for all three subsystems were added to the build-all test suites.
Boards: phyBOARD-Polis A53 and SMP
Vitor Sato Eschholz ported Zephyr to the quad Cortex-A53 cluster of the phyBOARD-Polis (phyCORE-i.MX 8M Mini/Nano), which previously only ran on the Cortex-M4 core. The port includes SMP support. A UART3 node was added to the imx8mm Devicetree, and board documentation was updated with an A53 core description and a corrected board overview image.
TI CC13xx/CC26xx, PTP, and Documentation
Alexandre Bailon fixed two bugs in the IEEE 802.15.4 cc13xx/cc26xx driver. The channel selection path was stopping and restarting all radio operations even when the channel had not changed; skipping the restart when the channel is unchanged fixed the OpenThread joiner. The frame filter update path was computing new filters but not submitting them to the radio core; the fix restarts RX with the new filters immediately.
Pascal Bodin fixed cc13xx_cc26xx_irq_tx_ready() to check that the TX Ready interrupt occurred rather than checking for free space in the TX FIFO. The original check allowed a race in the OpenThread Spinel protocol implementation when a UART RX interrupt arrived between otPlatUartSend() setting ot_uart.tx_busy and initializing write_length.
Adam Wojasinski fixed an undefined behavior vulnerability in Zephyr’s PTP (Precision Time Protocol) subsystem. The bug was in how the PTP stack computed timeouts — it used interval values sourced directly from incoming PTP management messages as bit-shift counts, without any bounds validation. Shifting by a negative or out-of-range count is undefined behavior in C, and since those interval values could be freely set by a remote peer, a malicious or malformed message could trigger this in a running embedded system — with unpredictable consequences ranging from wrong timing to crashes. The fix clamps both both interval values to [-63, 63] before they touch any shift operation.
Adrien Ricciardi added a documentation link from K_xxx_THREAD_DEFINE to the thread entry point function type.
Summary
| Type | Count |
|---|---|
| Authored | 256 |