VYPR

Zephyr

by Zephyrproject Rtos

Source repositories

CVEs (141)

  • CVE-2018-1000800CriSep 6, 2018
    risk 0.64cvss 9.8epss 0.02

    zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs…

  • CVE-2026-5067CriJun 9, 2026
    risk 0.57cvss 9.8epss 0.01

    A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL…

  • CVE-2025-9408HigNov 11, 2025
    risk 0.53cvss 8.1epss 0.00

    System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.

  • CVE-2025-9558HigNov 26, 2025
    risk 0.49cvss 7.6epss 0.00

    There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.

  • CVE-2025-9557HigNov 26, 2025
    risk 0.49cvss 7.6epss 0.00

    ‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to‬ ‭a crash and a resultant denial of service.‬

  • CVE-2026-5068HigJun 9, 2026
    risk 0.42cvss 7.6epss 0.00

    A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the…

  • CVE-2025-12899MedJan 30, 2026
    risk 0.42cvss 6.5epss 0.00

    A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem.

  • CVE-2025-12035MedDec 15, 2025
    risk 0.42cvss 6.5epss 0.00

    An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.

  • CVE-2025-12890MedNov 7, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it.

  • CVE-2026-1679HigMar 28, 2026
    risk 0.40cvss 7.3epss 0.00

    The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can…

  • CVE-2026-5072MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set.…

  • CVE-2026-5590MedApr 5, 2026
    risk 0.35cvss 6.4epss 0.00

    A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and…

  • CVE-2026-10635MedJun 16, 2026
    risk 0.34cvss 6.3epss 0.00

    On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is…

  • CVE-2026-5066MedJun 4, 2026
    risk 0.34cvss 6.3epss 0.00

    A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a…

  • CVE-2026-5589MedJun 4, 2026
    risk 0.34cvss 6.3epss 0.00

    An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising…

  • CVE-2026-5071MedMay 30, 2026
    risk 0.33cvss 6.1epss 0.00

    The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a…

  • CVE-2026-1681MedMay 12, 2026
    risk 0.33cvss 6.1epss 0.00

    Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the…

  • CVE-2026-4179MedMar 16, 2026
    risk 0.33cvss 6.1epss 0.00

    Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.

  • CVE-2026-10638MedJun 16, 2026
    risk 0.31cvss 5.9epss 0.00

    subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent…

  • CVE-2026-10637MedJun 16, 2026
    risk 0.31cvss 5.9epss 0.00

    subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not…

Page 1 of 8