VYPR

Vendor CVEs

Zephyrproject Rtos

All CVEs

142 total · sorted by risk
  • CVE-2018-1000800CriSep 6, 2018
    risk 0.64cvss 9.8epss 0.02

    zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs…

  • CVE-2026-5067CriJun 9, 2026
    risk 0.57cvss 9.8epss 0.01

    A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL…

  • CVE-2025-9408HigNov 11, 2025
    risk 0.53cvss 8.1epss 0.00

    System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.

  • CVE-2025-9558HigNov 26, 2025
    risk 0.49cvss 7.6epss 0.00

    There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.

  • CVE-2025-9557HigNov 26, 2025
    risk 0.49cvss 7.6epss 0.00

    ‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to‬ ‭a crash and a resultant denial of service.‬

  • CVE-2026-5068HigJun 9, 2026
    risk 0.42cvss 7.6epss 0.00

    A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the…

  • CVE-2025-12899MedJan 30, 2026
    risk 0.42cvss 6.5epss 0.00

    A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem.

  • CVE-2025-12035MedDec 15, 2025
    risk 0.42cvss 6.5epss 0.00

    An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.

  • CVE-2025-12890MedNov 7, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it.

  • CVE-2026-1679HigMar 28, 2026
    risk 0.40cvss 7.3epss 0.00

    The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can…

  • CVE-2026-5072MedMay 22, 2026
    risk 0.35cvss 6.5epss 0.00

    A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set.…

  • CVE-2026-5590MedApr 5, 2026
    risk 0.35cvss 6.4epss 0.00

    A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and…

  • CVE-2026-10635MedJun 16, 2026
    risk 0.34cvss 6.3epss 0.00

    On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is…

  • CVE-2026-5066MedJun 4, 2026
    risk 0.34cvss 6.3epss 0.00

    A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a…

  • CVE-2026-5589MedJun 4, 2026
    risk 0.34cvss 6.3epss 0.00

    An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising…

  • CVE-2026-5071MedMay 30, 2026
    risk 0.33cvss 6.1epss 0.00

    The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a…

  • CVE-2026-1681MedMay 12, 2026
    risk 0.33cvss 6.1epss 0.00

    Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the…

  • CVE-2026-4179MedMar 16, 2026
    risk 0.33cvss 6.1epss 0.00

    Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.

  • CVE-2026-10638MedJun 16, 2026
    risk 0.31cvss 5.9epss 0.00

    subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent…

  • CVE-2026-10637MedJun 16, 2026
    risk 0.31cvss 5.9epss 0.00

    subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not…

  • CVE-2026-1677MedMay 11, 2026
    risk 0.27cvss 5.3epss 0.00

    Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello…

  • CVE-2026-10639MedJun 16, 2026
    risk 0.24cvss 4.8epss 0.00

    In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of…

  • CVE-2026-10634MedJun 15, 2026
    risk 0.24cvss 4.8epss 0.00

    Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the…

  • CVE-2026-10640MedJun 16, 2026
    risk 0.20cvss 4.2epss 0.00

    Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success…

  • CVE-2026-0849LowMar 16, 2026
    risk 0.18cvss 3.8epss 0.00

    Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

  • CVE-2026-10636LowJun 16, 2026
    risk 0.17cvss 3.7epss 0.00

    In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been…

  • CVE-2026-10642Jun 24, 2026
    risk 0.00cvss epss 0.00

    The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's…

  • CVE-2026-10658Jun 22, 2026
    risk 0.00cvss epss 0.00

    A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header…

  • CVE-2026-10651Jun 22, 2026
    risk 0.00cvss epss 0.00

    A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then…

  • CVE-2026-10645Jun 22, 2026
    risk 0.00cvss epss 0.00

    Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then…

  • CVE-2026-10641Jun 17, 2026
    risk 0.00cvss epss 0.00

    Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a…

  • CVE-2026-1678Mar 5, 2026
    risk 0.00cvss epss 0.00

    dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can…

  • CVE-2025-10456Sep 19, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not…

  • CVE-2025-10458Sep 19, 2025
    risk 0.00cvss epss 0.00

    Parameters are not validated or sanitized, and are later used in various internal operations.

  • CVE-2025-7403Sep 19, 2025
    risk 0.00cvss epss 0.00

    Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.

  • CVE-2025-10457Sep 19, 2025
    risk 0.00cvss epss 0.00

    The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.

  • CVE-2025-2962Jun 24, 2025
    risk 0.00cvss epss 0.00

    A denial-of-service issue in the dns implemenation could cause an infinite loop.

  • CVE-2025-1675Feb 25, 2025
    risk 0.00cvss epss 0.00

    The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.

  • CVE-2025-1674Feb 25, 2025
    risk 0.00cvss epss 0.00

    A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

  • CVE-2025-1673Feb 25, 2025
    risk 0.00cvss epss 0.00

    A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

  • CVE-2024-10395Feb 3, 2025
    risk 0.00cvss epss 0.00

    No proper validation of the length of user input in http_server_get_content_type_from_extension.

  • CVE-2024-8798Dec 15, 2024
    risk 0.00cvss epss 0.00

    No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

  • CVE-2024-11263Nov 15, 2024
    risk 0.00cvss epss 0.00

    When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.

  • CVE-2024-6444Oct 4, 2024
    risk 0.00cvss epss 0.00

    No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

  • CVE-2024-6443Oct 4, 2024
    risk 0.00cvss epss 0.01

    In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.

  • CVE-2024-6442Oct 4, 2024
    risk 0.00cvss epss 0.00

    In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.

  • CVE-2024-6259Sep 13, 2024
    risk 0.00cvss epss 0.01

    BT: HCI: adv_ext_report Improper discarding in adv_ext_report

  • CVE-2024-6137Sep 13, 2024
    risk 0.00cvss epss 0.01

    BT: Classic: SDP OOB access in get_att_search_list

  • CVE-2024-6135Sep 13, 2024
    risk 0.00cvss epss 0.00

    BT:Classic: Multiple missing buf length checks

  • CVE-2024-5931Sep 13, 2024
    risk 0.00cvss epss 0.00

    BT: Unchecked user input in bap_broadcast_assistant

Page 1 of 3