Zephyrproject-Rtos Zephyr vulnerabilities

CVE-2022-3806 [CRITICAL] CWE-415 CVE-2022-3806: Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a netwo Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.

CVE-2023-0396 [MEDIUM] CWE-126 CVE-2023-0396: A malicious / defective bluetooth controller can cause buffer overreads in the most functions that p A malicious / defective bluetooth controller can cause buffer overreads in the most functions that process HCI command responses.

CVE-2023-0397 [MEDIUM] CWE-703 CVE-2023-0397: A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.

CVE-2021-3966 [HIGH] CWE-122 CVE-2021-3966: usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem. usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.

CVE-2022-0553 [MEDIUM] CWE-200 CVE-2022-0553: There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypt There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unencrypted firmware can be retrieved easily.

CVE-2022-2993 [CRITICAL] CWE-670 CVE-2022-2993: There is an error in the condition of the last if-statement in the function smp_check_keys. It was r There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.

CVE-2022-2741 [HIGH] CWE-400 CVE-2022-2741: The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the v

CVE-2022-1841 [MEDIUM] CWE-787 CVE-2022-1841: In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.

CVE-2022-1041 [HIGH] CWE-787 CVE-2022-1041: In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during pro In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.

CVE-2022-1042 [HIGH] CWE-787 CVE-2022-1042: In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during pro In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.

CVE-2021-3430 [HIGH] CWE-617 CVE-2021-3430: Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. Zephyr versions >= v1.14 contain Reachabl Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. Zephyr versions >= v1.14 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-46h3-hjcq-2jjr

CVE-2021-3432 [HIGH] CWE-369 CVE-2021-3432: Invalid interval in CONNECT_IND leads to Division by Zero. Zephyr versions >= v1.14.0 Divide By Zero Invalid interval in CONNECT_IND leads to Division by Zero. Zephyr versions >= v1.14.0 Divide By Zero (CWE-369). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7364-p4wc-8mj4

CVE-2021-3431 [HIGH] CWE-617 CVE-2021-3431: Assertion reachable with repeated LL_FEATURE_REQ. Zephyr versions >= v2.5.0 contain Reachable Assert Assertion reachable with repeated LL_FEATURE_REQ. Zephyr versions >= v2.5.0 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7548-5m6f-mqv9

CVE-2021-3434 [HIGH] CWE-121 CVE-2021-3434: Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Ove Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Overflow (CWE-121). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm

CVE-2021-3435 [LOW] CWE-908 CVE-2021-3435: Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource (CWE-908). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xhg3-gvj6-4rqh

CVE-2021-3433 [LOW] CWE-703 CVE-2021-3433: Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Handling of Exceptional Conditions (CWE-703). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp

CVE-2021-3835 [HIGH] CWE-122 CVE-2021-3835: Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (C Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf

CVE-2021-3861 [MEDIUM] CWE-122 CVE-2021-3861: The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 conta The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj

CVE-2021-3454 [HIGH] CWE-130 CVE-2021-3454: Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improp Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3

CVE-2021-3455 [HIGH] CWE-416 CVE-2021-3455: Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp