Zephyrproject-Rtos Zephyr vulnerabilities
128 known vulnerabilities affecting zephyrproject-rtos/zephyr.
Total CVEs
128
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL20HIGH61MEDIUM44LOW3
Vulnerabilities
Page 2 of 7
CVE-2021-3966P3HIGHCVSS 8.8≥ unspecified, ≤ v3.02023-01-11
CVE-2021-3966 [HIGH] CWE-122 CVE-2021-3966: usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.
usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.
nvd
CVE-2023-2234P3HIGHCVSS 8.8≥ *, ≤ 3.32023-07-10
CVE-2023-2234 [HIGH] CWE-843 CVE-2023-2234: Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr h
Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host.
nvd
CVE-2022-3806P3CRITICALCVSS 9.8≥ unspecified, ≤ v3.22023-01-25
CVE-2022-3806 [CRITICAL] CWE-415 CVE-2022-3806: Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a netwo
Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
nvd
CVE-2023-5753P3HIGHCVSS 8.8≥ *, < 3.52023-10-25
CVE-2023-5753 [HIGH] CWE-120 CVE-2023-5753: Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluet
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
nvd
CVE-2022-1041P3HIGHCVSS 8.8≥ unspecified, ≤ v3.02022-07-26
CVE-2022-1041 [HIGH] CWE-787 CVE-2022-1041: In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during pro
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
nvd
CVE-2022-1042P3HIGHCVSS 8.8≥ unspecified, ≤ v3.02022-07-26
CVE-2022-1042 [HIGH] CWE-787 CVE-2022-1042: In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during pro
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
nvd
CVE-2020-10061P3HIGHCVSS 8.8≥ 2.2.0, < unspecified≥ 1.14.0, < unspecified2020-06-05
CVE-2020-10061 [HIGH] CWE-119 CVE-2020-10061: Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memor
Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions, and version 1.14.0 and later versions.
nvd
CVE-2021-3581P3HIGHCVSS 8.8≥ >=2.5.0, < unspecified2021-10-05
CVE-2021-3581 [HIGH] CWE-805 CVE-2021-3581: Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Acces
Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Access with Incorrect Length Value (CWE-805). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5
nvd
CVE-2026-13351P3HIGHCVSS 7.5≥ *, ≤ 4.32026-06-25
CVE-2026-13351 [HIGH] CWE-772 CVE-2026-13351: Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the
nvd
CVE-2021-3321P3HIGHCVSS 8.8≥ >=2.4.0, < unspecified2021-10-12
CVE-2021-3321 [HIGH] CWE-680 CVE-2021-3321: Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=
Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=2.4.0 contain Integer Overflow to Buffer Overflow (CWE-680). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-w44j-66g7-xw99
nvd
CVE-2021-3330P3HIGHCVSS 8.8≥ >=2.4.0, < unspecified2021-10-12
CVE-2021-3330 [HIGH] CWE-787 CVE-2021-3330: RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragme
RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr. Zephyr versions >= >=2.4.0 contain Out-of-bounds Write (CWE-787). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fj4r-373f-9456
nvd
CVE-2023-5184P3HIGHCVSS 8.8≥ *, ≤ 3.42023-09-27
CVE-2023-5184 [HIGH] CWE-120 CVE-2023-5184: Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the follow
Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.
nvd
CVE-2025-10457P3HIGHCVSS 8.1≥ *, ≤ 4.1.02025-09-19
CVE-2025-10457 [HIGH] CWE-358 CVE-2025-10457: The function responsible for handling BLE connection responses does not verify whether a response is
The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.
nvd
CVE-2021-3323P3CRITICALCVSS 9.8≥ >=2.4.0, < unspecified2021-10-12
CVE-2021-3323 [CRITICAL] CWE-191 CVE-2021-3323: Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain Integer Underflow (Wrap or Wraparound) (CWE-191). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-89j6-qpxf-pfpc
nvd
CVE-2020-10065P3HIGHCVSS 8.8≥ v1.14.2, < unspecified≥ v2.2.0, < unspecified2021-05-25
CVE-2020-10065 [HIGH] CWE-130 CVE-2020-10065: Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Imprope
Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Length Parameter Inconsistency (CWE-130). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hg2w-62p6-g67c
nvd
CVE-2025-1674P3HIGHCVSS 8.2≥ *, ≤ 4.02025-02-25
CVE-2025-1674 [HIGH] CWE-125 CVE-2025-1674: A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
nvd
CVE-2021-3319P3CRITICALCVSS 9.8≥ > v2.4.0, < unspecified2021-10-05
CVE-2021-3319 [CRITICAL] CWE-476 CVE-2021-3319: DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Zephyr versions >= > v2.
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Zephyr versions >= > v2.4.0 contain NULL Pointer Dereference (CWE-476), Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364
nvd
CVE-2026-5068P3HIGHCVSS 7.6≥ 1.14.0, ≤ 4.3.02026-06-09
CVE-2026-5068 [HIGH] CWE-787 CVE-2026-5068: A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host du
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds i
nvd
CVE-2023-1901P3HIGHCVSS 8.0≥ *, ≤ 3.32023-07-10
CVE-2023-1901 [HIGH] CWE-787 CVE-2023-1901: The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronousl
The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.
nvd
CVE-2025-9408P3HIGHCVSS 8.1≥ *, ≤ 4.22025-11-11
CVE-2025-9408 [HIGH] CWE-270 CVE-2025-9408: System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very p
System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.
nvd