zephyr
CVEs (15)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-7060 | Hig | 0.56 | 8.6 | 0.00 | Mar 15, 2024 | Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address. | ||
| CVE-2025-1675 | Hig | 0.53 | 8.2 | 0.00 | Feb 25, 2025 | The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data. | ||
| CVE-2025-1673 | Hig | 0.53 | 8.2 | 0.00 | Feb 25, 2025 | A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation. | ||
| CVE-2024-1638 | Hig | 0.53 | 8.2 | 0.00 | Feb 19, 2024 | The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access,… | ||
| CVE-2023-6249 | Hig | 0.52 | 8.0 | 0.00 | Feb 18, 2024 | Signed to unsigned conversion esp32_ipm_send | ||
| CVE-2023-6749 | Hig | 0.52 | 8.0 | 0.00 | Feb 18, 2024 | Unchecked length coming from user input in settings shell | ||
| CVE-2025-2962 | Hig | 0.49 | 7.5 | 0.00 | Jun 24, 2025 | A denial-of-service issue in the dns implemenation could cause an infinite loop. | ||
| CVE-2024-8798 | Hig | 0.49 | 7.5 | 0.00 | Dec 16, 2024 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | ||
| CVE-2024-6259 | Hig | 0.49 | 7.6 | 0.01 | Sep 13, 2024 | BT: HCI: adv_ext_report Improper discarding in adv_ext_report | ||
| CVE-2023-6881 | Hig | 0.47 | 7.3 | 0.00 | Feb 29, 2024 | Possible buffer overflow in is_mount_point | ||
| CVE-2024-6444 | Med | 0.41 | 6.3 | 0.00 | Oct 4, 2024 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | ||
| CVE-2024-6443 | Med | 0.41 | 6.3 | 0.01 | Oct 4, 2024 | In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty. | ||
| CVE-2024-6442 | Med | 0.41 | 6.3 | 0.00 | Oct 4, 2024 | In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow. | ||
| CVE-2023-5779 | Med | 0.29 | 4.4 | 0.00 | Feb 18, 2024 | can: out of bounds in remove_rx_filter function | ||
| CVE-2020-10070 | Cri | 0.00 | 9.0 | 0.03 | Jun 5, 2020 | In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions. |
- risk 0.56cvss 8.6epss 0.00
Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.
- risk 0.53cvss 8.2epss 0.00
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.
- risk 0.53cvss 8.2epss 0.00
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.
- risk 0.53cvss 8.2epss 0.00
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access,…
- risk 0.52cvss 8.0epss 0.00
Signed to unsigned conversion esp32_ipm_send
- risk 0.52cvss 8.0epss 0.00
Unchecked length coming from user input in settings shell
- risk 0.49cvss 7.5epss 0.00
A denial-of-service issue in the dns implemenation could cause an infinite loop.
- risk 0.49cvss 7.5epss 0.00
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
- risk 0.49cvss 7.6epss 0.01
BT: HCI: adv_ext_report Improper discarding in adv_ext_report
- risk 0.47cvss 7.3epss 0.00
Possible buffer overflow in is_mount_point
- risk 0.41cvss 6.3epss 0.00
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
- risk 0.41cvss 6.3epss 0.01
In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.
- risk 0.41cvss 6.3epss 0.00
In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.
- risk 0.29cvss 4.4epss 0.00
can: out of bounds in remove_rx_filter function
- risk 0.00cvss 9.0epss 0.03
In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.