cbcvebase.

Zephyrproject Zephyr vulnerabilities

136 known vulnerabilities affecting zephyrproject/zephyr.

Total CVEs
136
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL22HIGH60MEDIUM49LOW5

Vulnerabilities

Page 7 of 7
CVE-2026-10634P4MEDIUMCVSS 5.3≥ 2.5.0, < 4.5.02026-06-15
CVE-2026-10634 [MEDIUM] CWE-416 CVE-2026-10634: Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tc Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concu
nvd
CVE-2026-10652P4MEDIUMCVSS 4.8≥ 4.3.0, < 4.5.02026-06-30
CVE-2026-10652 [MEDIUM] CWE-125 CVE-2026-10652: Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_ Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV consumers in dns_validate_record() (resolve.c)
nvd
CVE-2020-10068P4MEDIUMCVSS 6.5fixed in 1.14.0≥ 2.0.0, < 2.2.02020-06-05
CVE-2020-10068 [MEDIUM] CWE-20 CVE-2020-10068: In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause inco In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a denial of service. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions, and version 1.14.0 and later versions.
nvd
CVE-2020-10072P4MEDIUMCVSS 5.3≤ 1.14.2≥ 2.0.0, ≤ 2.2.02021-05-25
CVE-2020-10072 [MEDIUM] CWE-280 CVE-2020-10072: Improper Handling of Insufficient Permissions or Privileges in zephyr. Zephyr versions >= v1.14.2, > Improper Handling of Insufficient Permissions or Privileges in zephyr. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Insufficient Permissions or Privileges (CWE-280). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-vf79-hqwm-w4xc
nvd
CVE-2021-3322P4MEDIUMCVSS 6.5≥ 2.4.0, < 2.5.02021-10-12
CVE-2021-3322 [MEDIUM] CWE-476 CVE-2021-3322: Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. Zephyr versions >= >=2.4.0 Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. Zephyr versions >= >=2.4.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p86r-gc4r-4mq3
nvd
CVE-2023-0397P4MEDIUMCVSS 6.5≤ 3.2.02023-01-19
CVE-2023-0397 [MEDIUM] CWE-703 CVE-2023-0397: A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.
nvd
CVE-2020-13602P4MEDIUMCVSS 5.5≤ 1.14.2≥ 2.0.0, ≤ 2.2.02021-05-25
CVE-2020-13602 [MEDIUM] CWE-20 CVE-2020-13602: Remote Denial of Service in LwM2M do_write_op_tlv. Zephyr versions >= 1.14.2, >= 2.2.0 contain Impro Remote Denial of Service in LwM2M do_write_op_tlv. Zephyr versions >= 1.14.2, >= 2.2.0 contain Improper Input Validation (CWE-20), Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-g9mg-fj58-6fqh
nvd
CVE-2026-10644P4MEDIUMCVSS 4.2≥ 4.4.0, < 4.5.02026-06-28
CVE-2026-10644 [MEDIUM] CWE-787 CVE-2026-10644: The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH S The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous (DMA) receive path. When uart_rx_enable() is invoked with a one-byte receive buffer (len == 1) and CONFIG_UART_MCHP_ASYNC is enabled, the RX-complete ISR starts a single-beat DMA transfer
nvd
CVE-2020-10066P4MEDIUMCVSS 5.7≤ 1.14.2≥ 2.0.0, ≤ 2.2.02021-05-25
CVE-2020-10066 [MEDIUM] CWE-476 CVE-2020-10066: Incorrect Error Handling in Bluetooth HCI core. Zephyr versions >= v1.14.2, >= v2.2.0 contain NULL P Incorrect Error Handling in Bluetooth HCI core. Zephyr versions >= v1.14.2, >= v2.2.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gc66-xfrc-24qr
nvd
CVE-2022-0553P4MEDIUMCVSS 4.6fixed in 3.0.02023-01-11
CVE-2022-0553 [MEDIUM] CWE-200 CVE-2022-0553: There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypt There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unencrypted firmware can be retrieved easily.
nvd
CVE-2026-20435P4MEDIUMCVSS 4.6v3.7.02026-03-02
CVE-2026-20435 [MEDIUM] CWE-522 CVE-2026-20435: In preloader, there is a possible read of device unique identifiers due to a logic error. This could In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118.
nvd
CVE-2026-10636P4LOWCVSS 3.7≥ 2.6.0, < 4.5.02026-06-16
CVE-2026-10636 [LOW] CWE-416 CVE-2026-10636: In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronous
nvd
CVE-2026-10654P4LOWCVSS 3.1≥ 1.6.0, < 4.5.02026-06-30
CVE-2026-10654 [LOW] CWE-362 CVE-2026-10654: A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rf A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISCONNECTING, DISC sent, RTX timer armed) and the connected peer concurrently sends its own DISC frame for
nvd
CVE-2020-13599P4LOWCVSS 3.3≤ 1.14.2≥ 2.0.0, ≤ 2.3.02021-05-25
CVE-2020-13599 [LOW] CWE-276 CVE-2020-13599: Security problem with settings and littlefs. Zephyr versions >= 1.14.2, >= 2.3.0 contain Incorrect D Security problem with settings and littlefs. Zephyr versions >= 1.14.2, >= 2.3.0 contain Incorrect Default Permissions (CWE-276). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5qhg-j6wc-4f6q
nvd
CVE-2021-3435P4LOWCVSS 3.3≥ 2.4.0, < 2.6.02022-06-28
CVE-2021-3435 [LOW] CWE-908 CVE-2021-3435: Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource (CWE-908). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xhg3-gvj6-4rqh
nvd
CVE-2021-3433P4LOWCVSS 3.3≥ 2.5.0, < 2.6.02022-06-28
CVE-2021-3433 [LOW] CWE-703 CVE-2021-3433: Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Handling of Exceptional Conditions (CWE-703). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp
nvd
Zephyrproject Zephyr vulnerabilities | cvebase