VYPR

Zephyr

by Zephyrproject Rtos

Source repositories

CVEs (141)

  • CVE-2026-1677MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello…

  • CVE-2026-10639MedJun 16, 2026
    risk 0.24cvss 4.8epss 0.00

    In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of…

  • CVE-2026-10634MedJun 15, 2026
    risk 0.24cvss 4.8epss 0.00

    Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the…

  • CVE-2026-10640MedJun 16, 2026
    risk 0.20cvss 4.2epss 0.00

    Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success…

  • CVE-2026-0849LowMar 16, 2026
    risk 0.18cvss 3.8epss 0.00

    Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

  • CVE-2026-10636LowJun 16, 2026
    risk 0.17cvss 3.7epss 0.00

    In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been…

  • CVE-2026-10642Jun 24, 2026
    risk 0.00cvss epss 0.00

    The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's…

  • CVE-2026-10658Jun 22, 2026
    risk 0.00cvss epss 0.00

    A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header…

  • CVE-2026-10651Jun 22, 2026
    risk 0.00cvss epss 0.00

    A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then…

  • CVE-2026-10645Jun 22, 2026
    risk 0.00cvss epss 0.00

    Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then…

  • CVE-2026-10641Jun 17, 2026
    risk 0.00cvss epss 0.00

    Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a…

  • CVE-2026-1678Mar 5, 2026
    risk 0.00cvss epss 0.00

    dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can…

  • CVE-2025-10456Sep 19, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not…

  • CVE-2025-10458Sep 19, 2025
    risk 0.00cvss epss 0.00

    Parameters are not validated or sanitized, and are later used in various internal operations.

  • CVE-2025-7403Sep 19, 2025
    risk 0.00cvss epss 0.00

    Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.

  • CVE-2025-10457Sep 19, 2025
    risk 0.00cvss epss 0.00

    The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.

  • CVE-2025-2962Jun 24, 2025
    risk 0.00cvss epss 0.00

    A denial-of-service issue in the dns implemenation could cause an infinite loop.

  • CVE-2025-1675Feb 25, 2025
    risk 0.00cvss epss 0.00

    The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.

  • CVE-2025-1674Feb 25, 2025
    risk 0.00cvss epss 0.00

    A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

  • CVE-2025-1673Feb 25, 2025
    risk 0.00cvss epss 0.00

    A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

Page 2 of 8