Zephyrproject-Rtos Zephyr vulnerabilities

CVE-2026-5590 [MEDIUM] CWE-476 CVE-2026-5590: A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.

CVE-2026-1679 [HIGH] CWE-120 CVE-2026-1679: The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.

CVE-2026-0849 [MEDIUM] CWE-120 CVE-2026-0849: Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

CVE-2026-4179 [MEDIUM] CWE-835 CVE-2026-4179: Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.

CVE-2026-1678 [CRITICAL] CWE-787 CVE-2026-1678: dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the b dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

CVE-2025-12899 [MEDIUM] CWE-843 CVE-2025-12899: A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem.

CVE-2025-12035 [MEDIUM] CWE-190 CVE-2025-12035: An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a cr An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.

CVE-2025-9558 [HIGH] CWE-120 CVE-2025-9558: There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full le There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.

CVE-2025-9557 [HIGH] CWE-120 CVE-2025-9557: ‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of me ‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to‬ ‭a crash and a resultant denial of service.‬

CVE-2025-9408 [HIGH] CWE-270 CVE-2025-9408: System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very p System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.

CVE-2025-12890 [MEDIUM] CWE-703 CVE-2025-12890: Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it.

CVE-2025-10457 [HIGH] CWE-358 CVE-2025-10457: The function responsible for handling BLE connection responses does not verify whether a response is The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.

CVE-2025-10458 [HIGH] CWE-130 CVE-2025-10458: Parameters are not validated or sanitized, and are later used in various internal operations. Parameters are not validated or sanitized, and are later used in various internal operations.

CVE-2025-7403 [MEDIUM] CWE-123 CVE-2025-7403: Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. T Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.

CVE-2025-10456 [MEDIUM] CWE-190 CVE-2025-10456: A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, i

CVE-2025-2962 [HIGH] CWE-835 CVE-2025-2962: A denial-of-service issue in the dns implemenation could cause an infinite loop. A denial-of-service issue in the dns implemenation could cause an infinite loop.

CVE-2025-1675 [CRITICAL] CWE-125 CVE-2025-1675: The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted fie The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.

CVE-2025-1674 [HIGH] CWE-125 CVE-2025-1674: A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

CVE-2025-1673 [HIGH] CWE-125 CVE-2025-1673: A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

CVE-2024-10395 [HIGH] CWE-127 CVE-2024-10395: No proper validation of the length of user input in http_server_get_content_type_from_extension. No proper validation of the length of user input in http_server_get_content_type_from_extension.