cbcvebase.

Zephyrproject-Rtos Zephyr vulnerabilities

128 known vulnerabilities affecting zephyrproject-rtos/zephyr.

Total CVEs
128
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL20HIGH61MEDIUM44LOW3

Vulnerabilities

Page 3 of 7
CVE-2020-10027P3HIGHCVSS 7.8≥ 1.14.0, < unspecified≥ 2.1.0, < unspecified2020-05-11
CVE-2020-10027 [HIGH] CWE-697 CVE-2020-10027: An attacker who has obtained code execution within a user thread is able to elevate privileges to th An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
nvd
CVE-2020-10024P3HIGHCVSS 7.8≥ 1.14.0, < unspecified≥ 2.1.0, < unspecified2020-05-11
CVE-2020-10024 [HIGH] CWE-697 CVE-2020-10024: The arm platform-specific code uses a signed integer comparison when validating system call numbers. The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
nvd
CVE-2021-3434P3HIGHCVSS 7.8≥ *, ≤ 3.42022-06-28
CVE-2021-3434 [HIGH] CWE-121 CVE-2021-3434: Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Ove Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Overflow (CWE-121). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm
nvd
CVE-2025-9558P3HIGHCVSS 7.6≥ *, ≤ 4.22025-11-26
CVE-2025-9558 [HIGH] CWE-120 CVE-2025-9558: There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full le There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.
nvd
CVE-2023-5139P3HIGHCVSS 7.8≥ *, < 3.52023-10-26
CVE-2023-5139 [HIGH] CWE-120 CVE-2023-5139: Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver
nvd
CVE-2020-13601P3CRITICALCVSS 9.8≥ 1.14.2, < unspecified≥ 2.3.0, < unspecified2021-05-25
CVE-2020-13601 [CRITICAL] CWE-125 CVE-2020-13601: Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds R Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds Read (CWE-125). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-mm57-9hqw-qh44
nvd
CVE-2023-7060P3HIGHCVSS 7.5≥ *, ≤ 3.52024-03-15
CVE-2023-7060 [HIGH] CWE-20 CVE-2023-7060: Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface wit Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.
nvd
CVE-2022-2993P3CRITICALCVSS 9.8≥ unspecified, ≤ v3.12022-12-09
CVE-2022-2993 [CRITICAL] CWE-670 CVE-2022-2993: There is an error in the condition of the last if-statement in the function smp_check_keys. It was r There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.
nvd
CVE-2024-11263P3HIGHCVSS 8.4≥ *, ≤ 3.72024-11-15
CVE-2024-11263 [HIGH] CWE-270 CVE-2024-11263: When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points a When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.
nvd
CVE-2020-10063P3HIGHCVSS 7.5≥ 2.2.0, < unspecified≥ 2.1.0, < unspecified+1 more2020-06-05
CVE-2020-10063 [HIGH] CWE-190 CVE-2020-10063: A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
nvd
CVE-2023-1902P3HIGHCVSS 8.0≥ *, ≤ 3.32023-07-10
CVE-2023-1902 [HIGH] CWE-416 CVE-2023-1902: The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.
nvd
CVE-2020-10019P3HIGHCVSS 7.8≥ 1.14.1, < unspecified≥ 2.1.0, < unspecified2020-05-11
CVE-2020-10019 [HIGH] CWE-120 CVE-2020-10019: USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against the buffer size. This could be used by a malicious USB host to exploit the buffer overflow. See NCC-ZEP-002 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.
nvd
CVE-2023-0779P3HIGHCVSS 7.7≥ unspecified, < v3.3≥ unspecified, ≤ v2.7.42023-05-30
CVE-2023-0779 [HIGH] CWE-20 CVE-2023-0779: At the most basic level, an invalid pointer can be input that crashes the device, but with more know At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory layout, further exploitation is possible.
nvd
CVE-2022-2741P3HIGHCVSS 7.5≥ unspecified, ≤ v3.12022-10-31
CVE-2022-2741 [HIGH] CWE-400 CVE-2022-2741: The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the v
nvd
CVE-2025-9557P3HIGHCVSS 7.6≥ *, ≤ 4.22025-11-26
CVE-2025-9557 [HIGH] CWE-120 CVE-2025-9557: ‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of me ‭An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to‬ ‭a crash and a resultant denial of service.‬
nvd
CVE-2024-10395P3HIGHCVSS 7.5≥ *, ≤ 3.72025-02-03
CVE-2024-10395 [HIGH] CWE-127 CVE-2024-10395: No proper validation of the length of user input in http_server_get_content_type_from_extension. No proper validation of the length of user input in http_server_get_content_type_from_extension.
nvd
CVE-2026-5589P3MEDIUMCVSS 6.3≥ *, ≤ 4.3.02026-06-04
CVE-2026-5589 [MEDIUM] CWE-787 CVE-2026-5589: An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluet An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_
nvd
CVE-2026-5066P3MEDIUMCVSS 6.3≥ *, ≤ 4.32026-06-04
CVE-2026-5066 [MEDIUM] CWE-787 CVE-2026-5066: A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets su A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating
nvd
CVE-2020-10067P3HIGHCVSS 7.8≥ 1.14.1, < unspecified≥ 2.1.0, < unspecified2020-05-11
CVE-2020-10067 [HIGH] CWE-190 CVE-2020-10067: A malicious userspace application can cause a integer overflow and bypass security checks performed A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The impact would depend on the underlying system call and can range from denial of service to information leak to memory corruption resulting in code execution within the kernel. See NCC-ZEP-005 This issue affects: zephyrproject-
nvd
CVE-2020-10021P3HIGHCVSS 7.8≥ 1.14.1, < unspecified≥ 2.1.0, < unspecified2020-05-11
CVE-2020-10021 [HIGH] CWE-787 CVE-2020-10021: Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes See NCC-ZEP-024 Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.
nvd
Zephyrproject-Rtos Zephyr vulnerabilities | cvebase