cbcvebase.

Zephyrproject-Rtos Zephyr vulnerabilities

128 known vulnerabilities affecting zephyrproject-rtos/zephyr.

Total CVEs
128
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL20HIGH61MEDIUM44LOW3

Vulnerabilities

Page 5 of 7
CVE-2026-0849P4MEDIUMCVSS 6.8≥ *, ≤ 4.32026-03-16
CVE-2026-0849 [MEDIUM] CWE-120 CVE-2026-0849: Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
nvd
CVE-2021-3436P4MEDIUMCVSS 6.5≥ 1.14.2, < unspecified≥ 2.4.0, < unspecified+1 more2021-10-05
CVE-2021-3436 [MEDIUM] CWE-694 CVE-2021-3436: BT: Possible to overwrite an existing bond during keys distribution phase when the identity address BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63
nvd
CVE-2026-10651P4HIGHCVSS 7.1≥ *, ≤ 4.4.02026-06-23
CVE-2026-10651 [HIGH] CWE-20 CVE-2026-10651: A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the
nvd
CVE-2023-4265P4MEDIUMCVSS 6.8≥ *, ≤ 3.32023-08-12
CVE-2023-4265 [MEDIUM] CWE-120 CVE-2023-4265: Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproj Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/net
nvd
CVE-2025-10456P4MEDIUMCVSS 6.5≥ *, ≤ 4.1.02025-09-19
CVE-2025-10456 [MEDIUM] CWE-190 CVE-2025-10456: A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, i
nvd
CVE-2026-5072P4MEDIUMCVSS 6.5≥ *, ≤ 4.32026-05-22
CVE-2026-5072 [MEDIUM] CWE-1335 CVE-2026-5072: A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_time
nvd
CVE-2026-1681P4MEDIUMCVSS 6.1≥ *, ≤ 4.32026-05-12
CVE-2026-1681 [MEDIUM] CWE-674 CVE-2026-1681: Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the netw Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both the echo request and the resulting echo reply are processed inline before the current frame returns. The
nvd
CVE-2026-1677P4MEDIUMCVSS 5.3≥ *, ≤ 4.32026-05-11
CVE-2026-1677 [MEDIUM] CWE-757 CVE-2026-1677: Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version`). The ClientHello advertises both versions and the peer can establish TLS 1.2, so applications that a
nvd
CVE-2021-3861P4MEDIUMCVSS 6.8≥ v2.6.0, < unspecified2022-02-07
CVE-2021-3861 [MEDIUM] CWE-122 CVE-2021-3861: The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 conta The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj
nvd
CVE-2024-6137P4MEDIUMCVSS 6.5≥ *, ≤ 3.62024-09-13
CVE-2024-6137 [MEDIUM] CWE-121 CVE-2024-6137: BT: Classic: SDP OOB access in get_att_search_list BT: Classic: SDP OOB access in get_att_search_list
nvd
CVE-2023-4258P4MEDIUMCVSS 6.5≥ 1.14, ≤ 3.42023-09-25
CVE-2023-4258 [MEDIUM] CWE-684 CVE-2023-4258: In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provis In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisionee.
nvd
CVE-2025-7403P4MEDIUMCVSS 6.5≥ *, ≤ 4.12025-09-19
CVE-2025-7403 [MEDIUM] CWE-123 CVE-2025-7403: Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. T Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.
nvd
CVE-2026-5071P4MEDIUMCVSS 6.1≥ *, ≤ 4.32026-05-30
CVE-2026-5071 [MEDIUM] CWE-125 CVE-2026-5071: The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_f The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can s
nvd
CVE-2022-1841P4MEDIUMCVSS 5.3≥ unspecified, ≤ v3.02022-08-31
CVE-2022-1841 [MEDIUM] CWE-787 CVE-2022-1841: In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.
nvd
CVE-2021-3329P4MEDIUMCVSS 6.5≥ unspecified, ≤ v2.42023-02-26
CVE-2021-3329 [MEDIUM] CWE-703 CVE-2021-3329: Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack
nvd
CVE-2025-12035P4MEDIUMCVSS 6.5≥ *, ≤ 4.22025-12-15
CVE-2025-12035 [MEDIUM] CWE-190 CVE-2025-12035: An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a cr An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.
nvd
CVE-2020-10023P4MEDIUMCVSS 6.8≥ 1.14.0, < unspecified≥ 2.1.0, < unspecified2020-05-11
CVE-2020-10023 [MEDIUM] CWE-120 CVE-2020-10023: The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the dev The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel. See NCC-NCC-019 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later vers
nvd
CVE-2023-0396P4MEDIUMCVSS 6.8≥ unspecified, ≤ v3.22023-01-25
CVE-2023-0396 [MEDIUM] CWE-126 CVE-2023-0396: A malicious / defective bluetooth controller can cause buffer overreads in the most functions that p A malicious / defective bluetooth controller can cause buffer overreads in the most functions that process HCI command responses.
nvd
CVE-2024-3077P4MEDIUMCVSS 6.5≥ *, ≤ 3.62024-03-29
CVE-2024-3077 [MEDIUM] CWE-126 CVE-2024-3077: An malicious BLE device can crash BLE victim device by sending malformed gatt packet An malicious BLE device can crash BLE victim device by sending malformed gatt packet
nvd
CVE-2024-4785P4MEDIUMCVSS 6.5≥ *, ≤ 3.62024-08-19
CVE-2024-4785 [MEDIUM] CWE-369 CVE-2024-4785: BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero
nvd
Zephyrproject-Rtos Zephyr vulnerabilities | cvebase