Vendor
Zephyrproject Rtos
Products
1
CVEs
115
Across products
115
Status
Private
Products
1- 115 CVEs
Recent CVEs
115| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-9408 | Hig | 0.53 | 8.1 | 0.00 | Nov 11, 2025 | System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes. | |
| CVE-2025-9557 | Hig | 0.49 | 7.6 | 0.00 | Nov 26, 2025 | An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service. | |
| CVE-2026-5590 | Med | 0.42 | 6.4 | 0.00 | Apr 5, 2026 | A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash. | |
| CVE-2025-12899 | Med | 0.42 | 6.5 | 0.00 | Jan 30, 2026 | A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem. | |
| CVE-2025-12890 | Med | 0.42 | 6.5 | 0.00 | Nov 7, 2025 | Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it. | |
| CVE-2026-1681 | Med | 0.40 | 6.1 | 0.00 | May 12, 2026 | Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the resulting echo reply are processed inline before the current frame returns. The nested input-path frames exceed the work-queue stack and trigger a stack overflow. | |
| CVE-2026-1677 | Med | 0.34 | 5.3 | 0.00 | May 11, 2026 | Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello advertises both versions and the peer can establish TLS 1.2, so applications that assumed `IPPROTO_TLS_1_3` enforces TLS 1.3 may silently use TLS 1.2 and remain exposed to TLS 1.2-specific weaknesses. As a workaround, the `TLS_CIPHERSUITE_LIST` socket option can be restricted to TLS 1.3-only cipher suites. | |
| CVE-2020-10070 | 0.01 | — | 0.06 | Jun 5, 2020 | In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions. | ||
| CVE-2026-1678 | 0.00 | — | 0.00 | Mar 5, 2026 | dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled. | ||
| CVE-2025-10456 | 0.00 | — | 0.00 | Sep 19, 2025 | A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation. | ||
| CVE-2025-10458 | 0.00 | — | 0.00 | Sep 19, 2025 | Parameters are not validated or sanitized, and are later used in various internal operations. | ||
| CVE-2025-7403 | 0.00 | — | 0.00 | Sep 19, 2025 | Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. | ||
| CVE-2025-10457 | 0.00 | — | 0.00 | Sep 19, 2025 | The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. | ||
| CVE-2025-2962 | 0.00 | — | 0.00 | Jun 24, 2025 | A denial-of-service issue in the dns implemenation could cause an infinite loop. | ||
| CVE-2025-1675 | 0.00 | — | 0.00 | Feb 25, 2025 | The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data. | ||
| CVE-2025-1674 | 0.00 | — | 0.00 | Feb 25, 2025 | A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. | ||
| CVE-2025-1673 | 0.00 | — | 0.00 | Feb 25, 2025 | A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation. | ||
| CVE-2024-10395 | 0.00 | — | 0.00 | Feb 3, 2025 | No proper validation of the length of user input in http_server_get_content_type_from_extension. | ||
| CVE-2024-8798 | 0.00 | — | 0.00 | Dec 15, 2024 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | ||
| CVE-2024-11263 | 0.00 | — | 0.00 | Nov 15, 2024 | When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols. |