Vendor CVEs
Zephyrproject Rtos
All CVEs
142 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1000800 | Cri | 0.64 | 9.8 | 0.02 | Sep 6, 2018 | zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs… | ||
| CVE-2026-5067 | Cri | 0.57 | 9.8 | 0.01 | Jun 9, 2026 | A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL… | ||
| CVE-2025-9408 | Hig | 0.53 | 8.1 | 0.00 | Nov 11, 2025 | System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes. | ||
| CVE-2025-9558 | Hig | 0.49 | 7.6 | 0.00 | Nov 26, 2025 | There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size. | ||
| CVE-2025-9557 | Hig | 0.49 | 7.6 | 0.00 | Nov 26, 2025 | An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service. | ||
| CVE-2026-5068 | Hig | 0.42 | 7.6 | 0.00 | Jun 9, 2026 | A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the… | ||
| CVE-2025-12899 | Med | 0.42 | 6.5 | 0.00 | Jan 30, 2026 | A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem. | ||
| CVE-2025-12035 | Med | 0.42 | 6.5 | 0.00 | Dec 15, 2025 | An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic. | ||
| CVE-2025-12890 | Med | 0.42 | 6.5 | 0.00 | Nov 7, 2025 | Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it. | ||
| CVE-2026-1679 | Hig | 0.40 | 7.3 | 0.00 | Mar 28, 2026 | The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can… | ||
| CVE-2026-5072 | Med | 0.35 | 6.5 | 0.00 | May 22, 2026 | A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set.… | ||
| CVE-2026-5590 | Med | 0.35 | 6.4 | 0.00 | Apr 5, 2026 | A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and… | ||
| CVE-2026-10635 | Med | 0.34 | 6.3 | 0.00 | Jun 16, 2026 | On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is… | ||
| CVE-2026-5066 | Med | 0.34 | 6.3 | 0.00 | Jun 4, 2026 | A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a… | ||
| CVE-2026-5589 | Med | 0.34 | 6.3 | 0.00 | Jun 4, 2026 | An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising… | ||
| CVE-2026-5071 | Med | 0.33 | 6.1 | 0.00 | May 30, 2026 | The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a… | ||
| CVE-2026-1681 | Med | 0.33 | 6.1 | 0.00 | May 12, 2026 | Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the… | ||
| CVE-2026-4179 | Med | 0.33 | 6.1 | 0.00 | Mar 16, 2026 | Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop. | ||
| CVE-2026-10638 | Med | 0.31 | 5.9 | 0.00 | Jun 16, 2026 | subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent… | ||
| CVE-2026-10637 | Med | 0.31 | 5.9 | 0.00 | Jun 16, 2026 | subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not… | ||
| CVE-2026-1677 | Med | 0.27 | 5.3 | 0.00 | May 11, 2026 | Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello… | ||
| CVE-2026-10639 | Med | 0.24 | 4.8 | 0.00 | Jun 16, 2026 | In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of… | ||
| CVE-2026-10634 | Med | 0.24 | 4.8 | 0.00 | Jun 15, 2026 | Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the… | ||
| CVE-2026-10640 | Med | 0.20 | 4.2 | 0.00 | Jun 16, 2026 | Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success… | ||
| CVE-2026-0849 | Low | 0.18 | 3.8 | 0.00 | Mar 16, 2026 | Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution. | ||
| CVE-2026-10636 | Low | 0.17 | 3.7 | 0.00 | Jun 16, 2026 | In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been… | ||
| CVE-2026-10642 | 0.00 | — | 0.00 | Jun 24, 2026 | The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's… | |||
| CVE-2026-10658 | 0.00 | — | 0.00 | Jun 22, 2026 | A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header… | |||
| CVE-2026-10651 | 0.00 | — | 0.00 | Jun 22, 2026 | A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then… | |||
| CVE-2026-10645 | 0.00 | — | 0.00 | Jun 22, 2026 | Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then… | |||
| CVE-2026-10641 | 0.00 | — | 0.00 | Jun 17, 2026 | Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a… | |||
| CVE-2026-1678 | 0.00 | — | 0.00 | Mar 5, 2026 | dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can… | |||
| CVE-2025-10456 | 0.00 | — | 0.00 | Sep 19, 2025 | A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not… | |||
| CVE-2025-10458 | 0.00 | — | 0.00 | Sep 19, 2025 | Parameters are not validated or sanitized, and are later used in various internal operations. | |||
| CVE-2025-7403 | 0.00 | — | 0.00 | Sep 19, 2025 | Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. | |||
| CVE-2025-10457 | 0.00 | — | 0.00 | Sep 19, 2025 | The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. | |||
| CVE-2025-2962 | 0.00 | — | 0.00 | Jun 24, 2025 | A denial-of-service issue in the dns implemenation could cause an infinite loop. | |||
| CVE-2025-1675 | 0.00 | — | 0.00 | Feb 25, 2025 | The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data. | |||
| CVE-2025-1674 | 0.00 | — | 0.00 | Feb 25, 2025 | A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. | |||
| CVE-2025-1673 | 0.00 | — | 0.00 | Feb 25, 2025 | A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation. | |||
| CVE-2024-10395 | 0.00 | — | 0.00 | Feb 3, 2025 | No proper validation of the length of user input in http_server_get_content_type_from_extension. | |||
| CVE-2024-8798 | 0.00 | — | 0.00 | Dec 15, 2024 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | |||
| CVE-2024-11263 | 0.00 | — | 0.00 | Nov 15, 2024 | When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols. | |||
| CVE-2024-6444 | 0.00 | — | 0.00 | Oct 4, 2024 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | |||
| CVE-2024-6443 | 0.00 | — | 0.01 | Oct 4, 2024 | In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty. | |||
| CVE-2024-6442 | 0.00 | — | 0.00 | Oct 4, 2024 | In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow. | |||
| CVE-2024-6259 | 0.00 | — | 0.01 | Sep 13, 2024 | BT: HCI: adv_ext_report Improper discarding in adv_ext_report | |||
| CVE-2024-6137 | 0.00 | — | 0.01 | Sep 13, 2024 | BT: Classic: SDP OOB access in get_att_search_list | |||
| CVE-2024-6135 | 0.00 | — | 0.00 | Sep 13, 2024 | BT:Classic: Multiple missing buf length checks | |||
| CVE-2024-5931 | 0.00 | — | 0.00 | Sep 13, 2024 | BT: Unchecked user input in bap_broadcast_assistant |
- risk 0.64cvss 9.8epss 0.02
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs…
- risk 0.57cvss 9.8epss 0.01
A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL…
- risk 0.53cvss 8.1epss 0.00
System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.
- risk 0.49cvss 7.6epss 0.00
There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.
- risk 0.49cvss 7.6epss 0.00
An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service.
- risk 0.42cvss 7.6epss 0.00
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the…
- risk 0.42cvss 6.5epss 0.00
A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem.
- risk 0.42cvss 6.5epss 0.00
An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.
- risk 0.42cvss 6.5epss 0.00
Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it.
- risk 0.40cvss 7.3epss 0.00
The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can…
- risk 0.35cvss 6.5epss 0.00
A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set.…
- risk 0.35cvss 6.4epss 0.00
A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and…
- risk 0.34cvss 6.3epss 0.00
On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is…
- risk 0.34cvss 6.3epss 0.00
A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a…
- risk 0.34cvss 6.3epss 0.00
An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising…
- risk 0.33cvss 6.1epss 0.00
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a…
- risk 0.33cvss 6.1epss 0.00
Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the…
- risk 0.33cvss 6.1epss 0.00
Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.
- risk 0.31cvss 5.9epss 0.00
subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent…
- risk 0.31cvss 5.9epss 0.00
subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not…
- risk 0.27cvss 5.3epss 0.00
Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello…
- risk 0.24cvss 4.8epss 0.00
In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of…
- risk 0.24cvss 4.8epss 0.00
Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the…
- risk 0.20cvss 4.2epss 0.00
Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success…
- risk 0.18cvss 3.8epss 0.00
Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
- risk 0.17cvss 3.7epss 0.00
In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been…
- CVE-2026-10642Jun 24, 2026risk 0.00cvss —epss 0.00
The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's…
- CVE-2026-10658Jun 22, 2026risk 0.00cvss —epss 0.00
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header…
- CVE-2026-10651Jun 22, 2026risk 0.00cvss —epss 0.00
A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then…
- CVE-2026-10645Jun 22, 2026risk 0.00cvss —epss 0.00
Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then…
- CVE-2026-10641Jun 17, 2026risk 0.00cvss —epss 0.00
Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a…
- CVE-2026-1678Mar 5, 2026risk 0.00cvss —epss 0.00
dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can…
- CVE-2025-10456Sep 19, 2025risk 0.00cvss —epss 0.00
A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not…
- CVE-2025-10458Sep 19, 2025risk 0.00cvss —epss 0.00
Parameters are not validated or sanitized, and are later used in various internal operations.
- CVE-2025-7403Sep 19, 2025risk 0.00cvss —epss 0.00
Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.
- CVE-2025-10457Sep 19, 2025risk 0.00cvss —epss 0.00
The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.
- CVE-2025-2962Jun 24, 2025risk 0.00cvss —epss 0.00
A denial-of-service issue in the dns implemenation could cause an infinite loop.
- CVE-2025-1675Feb 25, 2025risk 0.00cvss —epss 0.00
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.
- CVE-2025-1674Feb 25, 2025risk 0.00cvss —epss 0.00
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
- CVE-2025-1673Feb 25, 2025risk 0.00cvss —epss 0.00
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.
- CVE-2024-10395Feb 3, 2025risk 0.00cvss —epss 0.00
No proper validation of the length of user input in http_server_get_content_type_from_extension.
- CVE-2024-8798Dec 15, 2024risk 0.00cvss —epss 0.00
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
- CVE-2024-11263Nov 15, 2024risk 0.00cvss —epss 0.00
When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.
- CVE-2024-6444Oct 4, 2024risk 0.00cvss —epss 0.00
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
- CVE-2024-6443Oct 4, 2024risk 0.00cvss —epss 0.01
In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.
- CVE-2024-6442Oct 4, 2024risk 0.00cvss —epss 0.00
In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.
- CVE-2024-6259Sep 13, 2024risk 0.00cvss —epss 0.01
BT: HCI: adv_ext_report Improper discarding in adv_ext_report
- CVE-2024-6137Sep 13, 2024risk 0.00cvss —epss 0.01
BT: Classic: SDP OOB access in get_att_search_list
- CVE-2024-6135Sep 13, 2024risk 0.00cvss —epss 0.00
BT:Classic: Multiple missing buf length checks
- CVE-2024-5931Sep 13, 2024risk 0.00cvss —epss 0.00
BT: Unchecked user input in bap_broadcast_assistant
Page 1 of 3