VYPR
← All advisories
Critical severity9.8NVD Advisory· Published Jun 9, 2026

CVE-2026-5067

CVE-2026-5067

Description

Zephyr's HTTP server has a memory corruption vulnerability in its WebSocket upgrade path, potentially leading to DoS or RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Zephyr's HTTP server has a memory corruption vulnerability in its WebSocket upgrade path, potentially leading to DoS or RCE.

Vulnerability

A memory corruption vulnerability exists in Zephyr's HTTP server WebSocket upgrade path when CONFIG_HTTP_SERVER_WEBSOCKET is enabled. A crafted Sec-WebSocket-Key header, copied without guaranteed NUL termination into a fixed-size buffer, can lead to an out-of-bounds read and write on the stack when processed by strlen() during the upgrade handling. Affected versions include >= 3.7.0 and <= 4.3.0 [1].

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted Sec-WebSocket-Key header. The HTTP header parser copies this header into a fixed-size buffer using strncpy without ensuring NUL termination if the input fills the buffer. Subsequently, during WebSocket upgrade handling, this buffer is copied to a local stack buffer and passed to strlen(). If no NUL terminator is present within the buffer's bounds, strlen() will read past the buffer, leading to an out-of-bounds write when the WebSocket magic string is concatenated.

Impact

Successful exploitation of this vulnerability can result in a crash, leading to a denial of service. Furthermore, the out-of-bounds read and write on stack memory could potentially allow an attacker to achieve arbitrary code execution with the privileges of the affected process.

Mitigation

This vulnerability is addressed in Zephyr versions not listed in the affected range. Users should upgrade to a patched version. No specific patch version or release date is disclosed in the available references, but users are advised to consult the advisory for further details [1].

References
  1. Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

4
6e07307786e3

doc: release/4.4: Add CVE under embargo

https://github.com/zephyrproject-rtos/zephyrFlavio CeolinMar 27, 2026via github-commit-search
commit
1 file changed · +2 0
  • doc/releases/release-notes-4.4.rst+2 0 modified
    @@ -59,6 +59,8 @@ The following CVEs are addressed by this release:
 
 * :cve:`2026-5066` Under embargo until 2026-06-01
 
+* :cve:`2026-5067` Under embargo until 2026-05-23
+
 API Changes
 ***********
b78b47d72e3e

doc: vuln: Add CVE under embargo

https://github.com/zephyrproject-rtos/zephyrFlavio CeolinMar 27, 2026via github-commit-search
commit
1 file changed · +5 0
  • doc/security/vulnerabilities.rst+5 0 modified
    @@ -2217,3 +2217,8 @@ This has been fixed in main for v4.4.0
 ----------------
 
 Under embargo until 2026-06-01
+
+:cve:`2026-5067`
+----------------
+
+Under embargo until 2026-05-23
5d653fcfd4fb

net: lib: http_server: Reject over length websocket key header

https://github.com/zephyrproject-rtos/zephyrMichael EllermanFeb 26, 2026via body-scan-shorthand
commitPR #104740
1 file changed · +6 2
  • subsys/net/lib/http/http_server_http1.c+6 2 modified
    @@ -896,8 +896,12 @@ static int on_header_value(struct http_parser *parser,
 
 			if (ctx->websocket_sec_key_next) {
 #if defined(CONFIG_WEBSOCKET)
-				strncpy(ctx->ws_sec_key, ctx->header_buffer,
-					MIN(sizeof(ctx->ws_sec_key), offset));
+				if (offset >= sizeof(ctx->ws_sec_key)) {
+					LOG_ERR("Sec-WebSocket-Key too long");
+					return -EBADMSG;
+				}
+				memcpy(ctx->ws_sec_key, ctx->header_buffer, offset);
+				ctx->ws_sec_key[offset] = '\0';
 #endif
 				ctx->websocket_sec_key_next = false;
 			}
25c4b91f3f27

samples: net: nsos: remove `CONFIG_HEAP_MEM_POOL_SIZE`

https://github.com/zephyrproject-rtos/zephyrJordan YatesJan 13, 2026via body-scan-shorthand
commitPR #107927
3 files changed · +0 3
  • samples/net/sockets/echo_server/overlay-nsos.conf+0 1 modified
    @@ -3,7 +3,6 @@ CONFIG_NET_DRIVERS=y
 CONFIG_NET_SOCKETS=y
 CONFIG_NET_SOCKETS_OFFLOAD=y
 CONFIG_NET_NATIVE_OFFLOADED_SOCKETS=y
-CONFIG_HEAP_MEM_POOL_SIZE=1024
 
 # IPv6 DAD requires lower level network interface access, below exposed socket-level access
 CONFIG_NET_IPV6_DAD=n
  • samples/net/sockets/http_get/overlay-nsos.conf+0 1 modified
    @@ -3,4 +3,3 @@ CONFIG_NET_DRIVERS=y
 CONFIG_NET_SOCKETS=y
 CONFIG_NET_SOCKETS_OFFLOAD=y
 CONFIG_NET_NATIVE_OFFLOADED_SOCKETS=y
-CONFIG_HEAP_MEM_POOL_SIZE=1024
  • samples/net/sockets/sntp_client/overlay-nsos.conf+0 1 modified
    @@ -5,7 +5,6 @@ CONFIG_NET_DRIVERS=y
 CONFIG_NET_SOCKETS=y
 CONFIG_NET_SOCKETS_OFFLOAD=y
 CONFIG_NET_NATIVE_OFFLOADED_SOCKETS=y
-CONFIG_HEAP_MEM_POOL_SIZE=4096
 
 # IPv6 DAD requires lower level network interface access, below exposed socket-level access
 CONFIG_NET_IPV6_DAD=n

Vulnerability mechanics

Root cause

"The HTTP/1 header parser does not guarantee NUL termination when copying a long Sec-WebSocket-Key header into a fixed-size buffer."

Attack vector

A remote, unauthenticated attacker can trigger this vulnerability by sending a crafted HTTP request with a `Sec-WebSocket-Key` header that is exactly 32 bytes long. This header is copied into a fixed-size buffer without guaranteed NUL termination. Subsequently, when the server attempts to process the WebSocket upgrade, it calls `strlen()` on this buffer, which can lead to an out-of-bounds read. This is followed by an out-of-bounds write when concatenating with a magic string, potentially leading to a crash or code execution [ref_id=1].

Affected code

The vulnerability lies within the HTTP/1 header parser, specifically in how the `Sec-WebSocket-Key` is handled during the WebSocket upgrade process. The `strncpy` function is used to copy the header into `ctx->ws_sec_key`, which has a maximum length defined by `HTTP_SERVER_WS_MAX_SEC_KEY_LEN` (32 bytes). The issue occurs when the input key length reaches this maximum, as `strncpy` does not guarantee NUL termination in such cases [ref_id=1].

What the fix does

The patches ensure that the `Sec-WebSocket-Key` header is always NUL-terminated after being copied into the buffer, even if the input length equals the buffer size. This prevents `strlen()` from reading beyond the allocated buffer during the WebSocket upgrade handling. By guaranteeing NUL termination, the subsequent concatenation with the WebSocket magic string is safe and avoids out-of-bounds writes [ref_id=1].

Preconditions

  • configThe Zephyr HTTP server must be compiled with `CONFIG_HTTP_SERVER_WEBSOCKET` enabled.
  • authThe attacker does not require any authentication.
  • networkThe attacker must be able to send network requests to the affected device.
  • inputThe attacker must send a crafted `Sec-WebSocket-Key` header of 32 bytes.

Reproduction

Build and run the Zephyr sample HTTP server with `CONFIG_HTTP_SERVER_WEBSOCKET=y`. Register a WebSocket endpoint, for example, `/ws_echo`. Then, send repeated crafted upgrade requests using a tool like `nc`: ```bash for i in $(seq 1 2000); do printf 'GET /ws_echo HTTP/1.1\r\nHost: 127.0.0.1\r\nUpgrade: websocket\r\nConnection: Upgrade\r\nSec-WebSocket-Version: 13\r\nSec-WebSocket-Key: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n\r\n' | nc 127.0.0.1 8080 >/dev/null || break done ``` Observe server instability, such as a crash or reset, due to the out-of-bounds read/write in the upgrade handling [ref_id=1].

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.