cbcvebase.

Zephyrproject Zephyr vulnerabilities

136 known vulnerabilities affecting zephyrproject/zephyr.

Total CVEs
136
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL22HIGH60MEDIUM49LOW5

Vulnerabilities

Page 6 of 7
CVE-2022-1841P4MEDIUMCVSS 5.3≤ 3.0.02022-08-31
CVE-2022-1841 [MEDIUM] CWE-787 CVE-2022-1841: In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.
nvd
CVE-2021-3329P4MEDIUMCVSS 6.5v2.4.02023-02-26
CVE-2021-3329 [MEDIUM] CWE-703 CVE-2021-3329: Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack
nvd
CVE-2020-10023P4MEDIUMCVSS 6.8v1.14.1v2.1.02020-05-11
CVE-2020-10023 [MEDIUM] CWE-120 CVE-2020-10023: The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the dev The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel. See NCC-NCC-019 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later vers
nvd
CVE-2023-0396P4MEDIUMCVSS 6.8≤ 3.2.02023-01-25
CVE-2023-0396 [MEDIUM] CWE-126 CVE-2023-0396: A malicious / defective bluetooth controller can cause buffer overreads in the most functions that p A malicious / defective bluetooth controller can cause buffer overreads in the most functions that process HCI command responses.
nvd
CVE-2024-3077P4MEDIUMCVSS 6.5≤ 3.6.02024-03-29
CVE-2024-3077 [MEDIUM] CWE-126 CVE-2024-3077: An malicious BLE device can crash BLE victim device by sending malformed gatt packet An malicious BLE device can crash BLE victim device by sending malformed gatt packet
nvd
CVE-2024-4785P4MEDIUMCVSS 6.5fixed in 3.7.02024-08-19
CVE-2024-4785 [MEDIUM] CWE-369 CVE-2024-4785: BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero
nvd
CVE-2024-3332P4MEDIUMCVSS 6.5≤ 3.6.02024-07-03
CVE-2024-3332 [MEDIUM] CWE-476 CVE-2024-3332: A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the vic A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device
nvd
CVE-2024-6258P4MEDIUMCVSS 6.5fixed in 3.6.02024-09-13
CVE-2024-6258 [MEDIUM] CWE-122 CVE-2024-6258: BT: Missing length checks of net_buf in rfcomm_handle_data BT: Missing length checks of net_buf in rfcomm_handle_data
nvd
CVE-2024-8798P4MEDIUMCVSS 6.5≤ 3.7.02024-12-16
CVE-2024-8798 [MEDIUM] CWE-122 CVE-2024-8798: No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/serv No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
nvd
CVE-2024-6444P4MEDIUMCVSS 6.5≤ 3.6.02024-10-04
CVE-2024-6444 [MEDIUM] CWE-122 CVE-2024-6444: No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/serv No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
nvd
CVE-2024-6442P4MEDIUMCVSS 6.5≤ 3.6.02024-10-04
CVE-2024-6442 [MEDIUM] CWE-787 CVE-2024-6442: In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global b In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.
nvd
CVE-2026-4179P4MEDIUMCVSS 6.1≤ 4.3.02026-03-16
CVE-2026-4179 [MEDIUM] CWE-835 CVE-2026-4179: Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.
nvd
CVE-2026-10639P4MEDIUMCVSS 4.8≥ 1.14.0, < 4.5.02026-06-16
CVE-2026-10639 [MEDIUM] CWE-416 CVE-2026-10639: In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or
nvd
CVE-2024-6259P4MEDIUMCVSS 6.5≤ 3.6.02024-09-13
CVE-2024-6259 [MEDIUM] CWE-122 CVE-2024-6259: BT: HCI: adv_ext_report Improper discarding in adv_ext_report BT: HCI: adv_ext_report Improper discarding in adv_ext_report
nvd
CVE-2024-6443P4MEDIUMCVSS 6.5≤ 3.6.02024-10-04
CVE-2024-6443 [MEDIUM] CWE-125 CVE-2024-6443: In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointe In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.
nvd
CVE-2024-5931P4MEDIUMCVSS 6.5≤ 3.6.02024-09-13
CVE-2024-5931 [MEDIUM] CWE-121 CVE-2024-5931: BT: Unchecked user input in bap_broadcast_assistant BT: Unchecked user input in bap_broadcast_assistant
nvd
CVE-2026-10648P4MEDIUMCVSS 5.5v4.4.0v4.4.0-rc1+3 more2026-06-29
CVE-2026-10648 [MEDIUM] CWE-476 CVE-2026-10648: mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet pool (CONFIG_MCUMGR_TRANSPORT_NETBUF_COUNT, default 4), which returns NULL when the pool is exhausted.
nvd
CVE-2026-10647P4MEDIUMCVSS 5.3≥ 4.1.0, < 4.5.02026-06-29
CVE-2026-10647 [MEDIUM] CWE-833 CVE-2026-10647: The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_FOREVER), blocking on a completion semaphore that is only ever signaled from the bulk-IN transfer-compl
nvd
CVE-2020-10059P4MEDIUMCVSS 4.8v2.1.0v2.2.02020-05-11
CVE-2020-10059 [MEDIUM] CWE-295 CVE-2020-10059: The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions.
nvd
CVE-2020-10069P4MEDIUMCVSS 6.5≤ 1.14.2≥ 2.0.0, ≤ 2.2.02021-05-25
CVE-2020-10069 [MEDIUM] CWE-233 CVE-2020-10069: Zephyr Bluetooth unchecked packet data results in denial of service. Zephyr versions >= v1.14.2, >= Zephyr Bluetooth unchecked packet data results in denial of service. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Parameters (CWE-233). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-f6vh-7v4x-8fjp
nvd
Zephyrproject Zephyr vulnerabilities | cvebase