Zephyrproject Zephyr vulnerabilities

CVE-2026-1679 [HIGH] CWE-120 CVE-2026-1679: The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.

CVE-2026-0849 [MEDIUM] CWE-120 CVE-2026-0849: Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.

CVE-2026-4179 [MEDIUM] CWE-835 CVE-2026-4179: Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.

CVE-2026-1678 [CRITICAL] CWE-787 CVE-2026-1678: dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the b dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

CVE-2026-20435 [MEDIUM] CWE-522 CVE-2026-20435: In preloader, there is a possible read of device unique identifiers due to a logic error. This could In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.

CVE-2025-20746 [MEDIUM] CWE-121 CVE-2025-20746: In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This coul In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967.

CVE-2025-20747 [MEDIUM] CWE-121 CVE-2025-20747: In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This coul In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966.

CVE-2025-10458 [HIGH] CWE-130 CVE-2025-10458: Parameters are not validated or sanitized, and are later used in various internal operations. Parameters are not validated or sanitized, and are later used in various internal operations.

CVE-2025-10457 [HIGH] CWE-358 CVE-2025-10457: The function responsible for handling BLE connection responses does not verify whether a response is The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.

CVE-2025-7403 [MEDIUM] CWE-123 CVE-2025-7403: Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. T Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.

CVE-2025-10456 [MEDIUM] CWE-190 CVE-2025-10456: A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, i

CVE-2025-20696 [MEDIUM] CWE-787 CVE-2025-20696: In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to loc In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801.

CVE-2025-2962 [HIGH] CWE-835 CVE-2025-2962: A denial-of-service issue in the dns implemenation could cause an infinite loop. A denial-of-service issue in the dns implemenation could cause an infinite loop.

CVE-2025-1675 [CRITICAL] CWE-125 CVE-2025-1675: The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted fie The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.

CVE-2025-1674 [HIGH] CWE-125 CVE-2025-1674: A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

CVE-2025-1673 [HIGH] CWE-125 CVE-2025-1673: A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

CVE-2024-10395 [HIGH] CWE-127 CVE-2024-10395: No proper validation of the length of user input in http_server_get_content_type_from_extension. No proper validation of the length of user input in http_server_get_content_type_from_extension.

CVE-2024-8798 [MEDIUM] CWE-122 CVE-2024-8798: No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/serv No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

CVE-2024-11263 [HIGH] CWE-270 CVE-2024-11263: When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points a When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.

CVE-2024-6443 [MEDIUM] CWE-125 CVE-2024-6443: In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointe In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.