Zephyrproject Zephyr vulnerabilities
136 known vulnerabilities affecting zephyrproject/zephyr.
Total CVEs
136
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL22HIGH58MEDIUM51LOW5
Vulnerabilities
Page 2 of 7
CVE-2026-1679P3HIGHCVSS 7.8≤ 4.3.02026-03-28
CVE-2026-1679 [HIGH] CWE-120 CVE-2026-1679: The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking
The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.
nvd
CVE-2025-1675P3CRITICALCVSS 9.1≤ 4.0.02025-02-25
CVE-2025-1675 [CRITICAL] CWE-125 CVE-2025-1675: The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted fie
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.
nvd
CVE-2021-3835P3HIGHCVSS 8.8≥ 2.6.0, < 2.7.1v3.0.02022-02-07
CVE-2021-3835 [HIGH] CWE-122 CVE-2021-3835: Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (C
Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf
nvd
CVE-2021-3966P3HIGHCVSS 8.8fixed in 3.0.02023-01-11
CVE-2021-3966 [HIGH] CWE-122 CVE-2021-3966: usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.
usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.
nvd
CVE-2023-2234P3HIGHCVSS 8.8≤ 3.3.02023-07-10
CVE-2023-2234 [HIGH] CWE-843 CVE-2023-2234: Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr h
Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host.
nvd
CVE-2022-3806P3CRITICALCVSS 9.8≤ 3.2.02023-01-25
CVE-2022-3806 [CRITICAL] CWE-415 CVE-2022-3806: Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a netwo
Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
nvd
CVE-2023-5055P3CRITICALCVSS 9.8≤ 3.4.02023-11-21
CVE-2023-5055 [CRITICAL] CVE-2023-5055: Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
nvd
CVE-2026-10646P3HIGHCVSS 7.4≥ 4.0.0, < 4.5.02026-06-28
CVE-2026-10646 [HIGH] CWE-416 CVE-2026-10646: Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a po
Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberately set slightly longer than the resolver's own per-query t
nvd
CVE-2023-5753P3HIGHCVSS 8.8≤ 3.4.02023-10-25
CVE-2023-5753 [HIGH] CWE-120 CVE-2023-5753: Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluet
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
nvd
CVE-2022-1041P3HIGHCVSS 8.8≤ 3.0.02022-07-26
CVE-2022-1041 [HIGH] CWE-787 CVE-2022-1041: In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during pro
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
nvd
CVE-2022-1042P3HIGHCVSS 8.8≤ 3.0.02022-07-26
CVE-2022-1042 [HIGH] CWE-787 CVE-2022-1042: In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during pro
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
nvd
CVE-2020-10061P3HIGHCVSS 8.8fixed in 1.14.0≥ 2.0.0, < 2.2.02020-06-05
CVE-2020-10061 [HIGH] CWE-119 CVE-2020-10061: Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memor
Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions, and version 1.14.0 and later versions.
nvd
CVE-2021-3581P3HIGHCVSS 8.8≥ 2.5.0, < 2.6.02021-10-05
CVE-2021-3581 [HIGH] CWE-805 CVE-2021-3581: Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Acces
Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Access with Incorrect Length Value (CWE-805). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5
nvd
CVE-2021-3321P3HIGHCVSS 8.8≥ 2.4.0, < 2.5.02021-10-12
CVE-2021-3321 [HIGH] CWE-680 CVE-2021-3321: Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=
Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=2.4.0 contain Integer Overflow to Buffer Overflow (CWE-680). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-w44j-66g7-xw99
nvd
CVE-2021-3330P3HIGHCVSS 8.8≥ 2.4.0, < 2.5.02021-10-12
CVE-2021-3330 [HIGH] CWE-787 CVE-2021-3330: RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragme
RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr. Zephyr versions >= >=2.4.0 contain Out-of-bounds Write (CWE-787). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fj4r-373f-9456
nvd
CVE-2023-5184P3HIGHCVSS 8.8≤ 3.4.02023-09-27
CVE-2023-5184 [HIGH] CWE-120 CVE-2023-5184: Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the follow
Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.
nvd
CVE-2025-10457P3HIGHCVSS 8.1≤ 4.1.02025-09-19
CVE-2025-10457 [HIGH] CWE-358 CVE-2025-10457: The function responsible for handling BLE connection responses does not verify whether a response is
The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.
nvd
CVE-2026-7656P3HIGHCVSS 8.1≥ 1.14.0, < 4.5.02026-06-29
CVE-2026-7656 [HIGH] CWE-290 CVE-2026-7656: The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input,
The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator precedence: the form was '((length/hop/source/target checks) && (icmp_hdr-code != 0))'. Because every legit
nvd
CVE-2021-3323P3CRITICALCVSS 9.8≥ 2.4.0, < 2.5.02021-10-12
CVE-2021-3323 [CRITICAL] CWE-191 CVE-2021-3323: Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain Integer Underflow (Wrap or Wraparound) (CWE-191). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-89j6-qpxf-pfpc
nvd
CVE-2020-10065P3HIGHCVSS 8.8≤ 1.14.2≥ 2.0.0, ≤ 2.2.02021-05-25
CVE-2020-10065 [HIGH] CWE-130 CVE-2020-10065: Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Imprope
Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Length Parameter Inconsistency (CWE-130). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hg2w-62p6-g67c
nvd