cbcvebase.

Zephyrproject Zephyr vulnerabilities

136 known vulnerabilities affecting zephyrproject/zephyr.

Total CVEs
136
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL22HIGH60MEDIUM49LOW5

Vulnerabilities

Page 5 of 7
CVE-2020-13600P4HIGHCVSS 7.6≤ 1.14.2≥ 2.0.0, ≤ 2.3.02021-05-25
CVE-2020-13600 [HIGH] CWE-122 CVE-2020-13600: Malformed SPI in response for eswifi can corrupt kernel memory. Zephyr versions >= 1.14.2, >= 2.3.0 Malformed SPI in response for eswifi can corrupt kernel memory. Zephyr versions >= 1.14.2, >= 2.3.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hx4p-j86p-2mhr
nvd
CVE-2026-0849P4MEDIUMCVSS 6.8v4.3.02026-03-16
CVE-2026-0849 [MEDIUM] CWE-120 CVE-2026-0849: Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
nvd
CVE-2026-10641P4HIGHCVSS 7.1≥ 3.7.0, < 3.7.3≥ 4.0.0, < 4.3.1+2 more2026-06-17
CVE-2026-10641 [HIGH] CWE-787 CVE-2026-10641: Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/cl Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list elem
cvelistv5nvd
CVE-2021-3436P4MEDIUMCVSS 6.5v1.14.2v2.4.0+1 more2021-10-05
CVE-2021-3436 [MEDIUM] CWE-694 CVE-2021-3436: BT: Possible to overwrite an existing bond during keys distribution phase when the identity address BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63
nvd
CVE-2026-10655P4MEDIUMCVSS 6.5≥ 4.2.0, < 4.5.02026-06-30
CVE-2026-10655 [MEDIUM] CWE-416 CVE-2026-10655: The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the network socket service, without synchronizing with the socket-service poll thread. The socket service thread polls each socket via zvfs_poll, which (in z
nvd
CVE-2023-4265P4MEDIUMCVSS 6.8≤ 3.3.02023-08-12
CVE-2023-4265 [MEDIUM] CWE-120 CVE-2023-4265: Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproj Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/net
nvd
CVE-2025-20696P4MEDIUMCVSS 6.8v3.7.02025-08-04
CVE-2025-20696 [MEDIUM] CWE-787 CVE-2025-20696: In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to loc In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801.
nvd
CVE-2025-20746P4MEDIUMCVSS 6.7v3.7.02025-11-04
CVE-2025-20746 [MEDIUM] CWE-121 CVE-2025-20746: In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This coul In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967.
nvd
CVE-2025-20747P4MEDIUMCVSS 6.7v3.7.02025-11-04
CVE-2025-20747 [MEDIUM] CWE-121 CVE-2025-20747: In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This coul In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966.
nvd
CVE-2025-10456P4MEDIUMCVSS 6.5≤ 4.1.02025-09-19
CVE-2025-10456 [MEDIUM] CWE-190 CVE-2025-10456: A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, i
nvd
CVE-2026-10642P4MEDIUMCVSS 6.5≥ 4.1.0, < 4.5.02026-06-24
CVE-2026-10642 [MEDIUM] CWE-835 CVE-2026-10642: The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's level-transition TX-interrupt behavior. When CTS hardware flow control is e
nvd
CVE-2026-10635P4MEDIUMCVSS 6.3v4.4.0≥ 4.4.0, < 4.5.02026-06-16
CVE-2026-10635 [MEDIUM] CWE-416 CVE-2026-10635: On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables
nvd
CVE-2026-10637P4HIGHCVSS 7.1≥ 1.12.0, < 4.5.02026-06-16
CVE-2026-10637 [HIGH] CWE-416 CVE-2026-10637: subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_ subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_
nvd
CVE-2026-9263P4MEDIUMCVSS 6.5≥ 3.3.0, < 4.5.02026-06-30
CVE-2026-9263 [MEDIUM] CWE-125 CVE-2026-9263: The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fai The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_he
nvd
CVE-2021-3861P4MEDIUMCVSS 6.8≥ 2.6.0, ≤ 2.7.12022-02-07
CVE-2021-3861 [MEDIUM] CWE-122 CVE-2021-3861: The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 conta The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj
nvd
CVE-2024-6137P4MEDIUMCVSS 6.5≤ 3.6.02024-09-13
CVE-2024-6137 [MEDIUM] CWE-121 CVE-2024-6137: BT: Classic: SDP OOB access in get_att_search_list BT: Classic: SDP OOB access in get_att_search_list
nvd
CVE-2023-4258P4MEDIUMCVSS 6.5fixed in 3.4.02023-09-25
CVE-2023-4258 [MEDIUM] CWE-684 CVE-2023-4258: In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provis In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisionee.
nvd
CVE-2025-7403P4MEDIUMCVSS 6.5≤ 4.1.02025-09-19
CVE-2025-7403 [MEDIUM] CWE-123 CVE-2025-7403: Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. T Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.
nvd
CVE-2026-10593P4MEDIUMCVSS 6.5≥ 4.3.0, < 4.5.02026-06-28
CVE-2026-10593 [MEDIUM] CWE-476 CVE-2026-10593: The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields (interval, framing, phy, sdu, rtn, latency, pd) through the stream-qos pointer with only a stream !=
nvd
CVE-2026-10653P4MEDIUMCVSS 6.4≥ 2.7.0, < 4.5.02026-06-30
CVE-2026-10653 [MEDIUM] CWE-415 CVE-2026-10653: The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-h The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, if (--buf->ref > 0), if (--(*ref_count))). The API is documented as self-synchronizing: callers may sh
nvd
Zephyrproject Zephyr vulnerabilities | cvebase