A buffer overflow has been found in the Zephyr Project's getaddrinfo() implementation in 1.9.0 and 1.10.0.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 1.10.0 |
| zephyrproject | zephyr | 1.9.0 |
Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution. This issue affects: Zephyr shell versions prior to 1.14.0 on all.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution. This issue affects: Zephyr shell versions prior to 1.14.0 on all.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs (system sys_ring_buf_get() and sys_ring_buf_put).
CVSS 2.0
Severity: HIGH
Problem Type: CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 1.12.0 |
USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against the buffer size. This could be used by a malicious USB host to exploit the buffer overflow. See NCC-ZEP-002 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 8.1 | HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 1.4 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 8.1 | HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 1.4 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-NCC-016 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. version 2.2.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 9.0 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.2 | 6.0 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 2.1.0 |
| zephyrproject | zephyr | 2.2.0 |
The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel. See NCC-NCC-019 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.9 | MEDIUM | CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H | 0.3 | 6.0 |
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 1.14.1 |
| zephyrproject | zephyr | 2.1.0 |
The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-697,CWE-697,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 2.1.0 |
| zephyrproject | zephyr | 1.14.2 |
An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-697,CWE-697,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 1.14.0 |
| zephyrproject | zephyr | 2.1.0 |
Multiple syscalls with insufficient argument validation See NCC-ZEP-006 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 1.14.0 |
| zephyrproject | zephyr | 2.1.0 |
Multiple syscalls in the Kscan subsystem perform insufficient argument validation, allowing code executing in userspace to potentially gain elevated privileges. See NCC-ZEP-006 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.8 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H | 1.1 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 2.1.0 |
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L | 2.2 | 2.5 |
| vulnerabilities@zephyrproject.org | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L | 2.2 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-295,CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 2.1.0 |
| zephyrproject | zephyr | 2.2.0 |
In updatehub_probe, right after JSON parsing is complete, objects\[1] is accessed from the output structure in two different places. If the JSON contained less than two elements, this access would reference unitialized stack memory. This could result in a crash, denial of service, or possibly an information leak. Provided the fix in CVE-2020-10059 is applied, the attack requires compromise of the server. See NCC-ZEP-030 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. version 2.2.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H | 1.2 | 5.2 |
| vulnerabilities@zephyrproject.org | 8.0 | HIGH | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | 1.3 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-824,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions, and version 1.14.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.1 | HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 1.4 | 6.0 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 9.0 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.2 | 6.0 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-193,CWE-193,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H | 2.2 | 4.0 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Improper Input Frame Validation in ieee802154 Processing. Zephyr versions >= v1.14.2, >= v2.2.0 contain Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3gvq-h42f-v3c7
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| vulnerabilities@zephyrproject.org | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | 3.9 | 3.7 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,CWE-122,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Length Parameter Inconsistency (CWE-130). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hg2w-62p6-g67c
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 3.8 | LOW | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L | 0.4 | 3.4 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-130,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Incorrect Error Handling in Bluetooth HCI core. Zephyr versions >= v1.14.2, >= v2.2.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gc66-xfrc-24qr
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.7 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.1 | 3.6 |
| vulnerabilities@zephyrproject.org | 2.5 | LOW | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L | 1.0 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-476,CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The impact would depend on the underlying system call and can range from denial of service to information leak to memory corruption resulting in code execution within the kernel. See NCC-ZEP-005 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.5 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H | 0.8 | 6.0 |
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 1.14.1 |
| zephyrproject | zephyr | 2.1.0 |
In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a denial of service. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions, and version 1.14.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
| vulnerabilities@zephyrproject.org | 5.1 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | 1.4 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Zephyr Bluetooth unchecked packet data results in denial of service. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Parameters (CWE-233). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-f6vh-7v4x-8fjp
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-233,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 9.0 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.2 | 6.0 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,CWE-190,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 9.0 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.2 | 6.0 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-120,CWE-129,CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Improper Handling of Insufficient Permissions or Privileges in zephyr. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Insufficient Permissions or Privileges (CWE-280). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-vf79-hqwm-w4xc
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | 1.8 | 3.4 |
| vulnerabilities@zephyrproject.org | 5.9 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.5 | 3.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-280,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat. Zephyr versions >= v1.14.2, >= v2.3.0 contain Stack-based Buffer Overflow (CWE-121). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7fhv-rgxr-x56h
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L | 2.0 | 3.7 |
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Security problem with settings and littlefs. Zephyr versions >= 1.14.2, >= 2.3.0 contain Incorrect Default Permissions (CWE-276). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5qhg-j6wc-4f6q
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
| vulnerabilities@zephyrproject.org | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-276,CWE-276,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Malformed SPI in response for eswifi can corrupt kernel memory. Zephyr versions >= 1.14.2, >= 2.3.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hx4p-j86p-2mhr
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.6 | HIGH | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 0.9 | 6.0 |
| vulnerabilities@zephyrproject.org | 7.0 | HIGH | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H | 0.4 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-122,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds Read (CWE-125). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-mm57-9hqw-qh44
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| vulnerabilities@zephyrproject.org | 9.0 | CRITICAL | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.2 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Remote Denial of Service in LwM2M do_write_op_tlv. Zephyr versions >= 1.14.2, >= 2.2.0 contain Improper Input Validation (CWE-20), Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-g9mg-fj58-6fqh
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
| vulnerabilities@zephyrproject.org | 4.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.5 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,CWE-835,CWE-20,CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Integer Overflow in memory allocating functions. Zephyr versions >= 1.14.2, >= 2.4.0 contain Integer Overflow or Wraparound (CWE-190). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94vp-8gc2-rm45
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 6.9 | MEDIUM | CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H | 0.3 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-190,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Zephyr versions >= > v2.4.0 contain NULL Pointer Dereference (CWE-476), Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| vulnerabilities@zephyrproject.org | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H | 2.2 | 4.2 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-476,CWE-588,CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Type Confusion in 802154 ACK Frames Handling. Zephyr versions >= v2.4.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-27r3-rxch-2hm7
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| vulnerabilities@zephyrproject.org | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-476,CWE-476,CWE-843,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=2.4.0 contain Integer Overflow to Buffer Overflow (CWE-680). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-w44j-66g7-xw99
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.5 | HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H | 1.6 | 5.3 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-680,CWE-191,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. Zephyr versions >= >=2.4.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p86r-gc4r-4mq3
CVSS 2.0
Severity: LOW
Problem Type: CWE-476,CWE-476,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain Integer Underflow (Wrap or Wraparound) (CWE-191). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-89j6-qpxf-pfpc
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| vulnerabilities@zephyrproject.org | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | 3.9 | 3.7 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-191,CWE-191,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
| vulnerabilities@zephyrproject.org | 9.6 | CRITICAL | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H | 2.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 2.4.0 |
RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr. Zephyr versions >= >=2.4.0 contain Out-of-bounds Write (CWE-787). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fj4r-373f-9456
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | 2.8 | 3.7 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. Zephyr versions >= v1.14 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-46h3-hjcq-2jjr
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| vulnerabilities@zephyrproject.org | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-617,CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Assertion reachable with repeated LL_FEATURE_REQ. Zephyr versions >= v2.5.0 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7548-5m6f-mqv9
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-617,CWE-617,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Invalid interval in CONNECT_IND leads to Division by Zero. Zephyr versions >= v1.14.0 Divide By Zero (CWE-369). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7364-p4wc-8mj4
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-369,CWE-369,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Handling of Exceptional Conditions (CWE-703). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 1.8 | 1.4 |
| vulnerabilities@zephyrproject.org | 4.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.5 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-703,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Overflow (CWE-121). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 4.9 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L | 1.4 | 3.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource (CWE-908). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xhg3-gvj6-4rqh
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
| vulnerabilities@zephyrproject.org | 4.0 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2.5 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-908,CWE-908,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L | 3.9 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-694,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 2.5.0 |
| zephyrproject | zephyr | 2.4.0 |
| zephyrproject | zephyr | 1.14.2 |
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-130,CWE-617,CWE-617,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| vulnerabilities@zephyrproject.org | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-588,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 2.5.0 |
| zephyrproject | zephyr | 2.6.1 |
| zephyrproject | zephyr | 1.14.1 |
| zephyrproject | zephyr | 1.14.0 |
| zephyrproject | zephyr | 2.6.0 |
| zephyrproject | zephyr | 2.5.1 |
| zephyrproject | zephyr | 1.14.3 |
| zephyrproject | zephyr | 1.14.2 |
Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Access with Incorrect Length Value (CWE-805). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.0 | HIGH | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H | 0.4 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-805,CWE-1284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 9.6 | CRITICAL | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H | 2.8 | 6.0 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-122,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H | 1.6 | 6.0 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-122,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 3.0.0 |
| zephyrproject | zephyr | * |
The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H | 1.6 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-122,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unencrypted firmware can be retrieved easily.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L | 2.3 | 5.3 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L | 2.3 | 5.3 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L | 3.9 | 2.7 |
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | 3.9 | 4.2 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A missing nullptr-check in handle_ra_input can cause a nullptr-deref.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A malicious / defective bluetooth controller can cause buffer overreads in the most functions that process HCI command responses.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory layout, further exploitation is possible.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.7 | MEDIUM | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H | 1.2 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 5.9 | MEDIUM | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H | 1.2 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 5.9 | MEDIUM | CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H | 1.2 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisionee.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
| vulnerabilities@zephyrproject.org | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | 3.9 | 4.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | 2.8 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 10.0 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 3.9 | 6.0 |
| vulnerabilities@zephyrproject.org | 6.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L | 2.0 | 3.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Possible buffer overflow in Zephyr mgmt subsystem when asserts are disabled
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 10.0 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 3.9 | 6.0 |
| vulnerabilities@zephyrproject.org | 5.1 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | 0.9 | 3.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | 2.8 | 3.7 |
| nvd@nist.gov | 9.6 | CRITICAL | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/netusb/function_rndis... https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/netusb/function_rndis.c#L841
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.4 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H | 0.9 | 5.5 |
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| vulnerabilities@zephyrproject.org | 8.3 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H | 2.8 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.3 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H | 2.8 | 5.5 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.4 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L | 1.8 | 2.5 |
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.0 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H | 1.1 | 5.3 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 2.0 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
| vulnerabilities@zephyrproject.org | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | 2.8 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
can: out of bounds in remove_rx_filter function
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.4 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L | 1.8 | 2.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Signed to unsigned conversion esp32_ipm_send
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.0 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H | 2.5 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | 3.5.0 |
| zephyrproject | zephyr | * |
Unchecked length coming from user input in settings shell
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.0 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H | 2.5 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Possible buffer overflow in is_mount_point
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.5 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 3.9 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
No proper validation of the length of user input in http_server_get_content_type_from_extension.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 3.9 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 9.3 | CRITICAL | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 2.5 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 3.9 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
An malicious BLE device can crash BLE victim device by sending malformed gatt packet
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.8 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H | 2.1 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
BT: Encryption procedure host vulnerability
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
BT: Unchecked user input in bap_broadcast_assistant
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
BT: Classic: SDP OOB access in get_att_search_list
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
BT: Missing length checks of net_buf in rfcomm_handle_data
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.8 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H | 2.1 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
BT: HCI: adv_ext_report Improper discarding in adv_ext_report
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.8 | 3.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
| vulnerabilities@zephyrproject.org | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | 2.8 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 4.3 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Parameters are not validated or sanitized, and are later used in various internal operations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | 3.9 | 4.2 |
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | 3.9 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | 3.9 | 4.2 |
| nvd@nist.gov | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | 3.9 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H | 3.9 | 4.2 |
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| android | 14.0 | |
| android | 13.0 | |
| linuxfoundation | yocto | 4.0 |
| zephyrproject | zephyr | 3.7.0 |
| android | 15.0 | |
| openwrt | openwrt | 23.05 |
| rdkcentral | rdk-b | 2024q1 |
| openwrt | openwrt | 21.02.0 |
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| android | 14.0 | |
| linuxfoundation | yocto | 4.0 |
| zephyrproject | zephyr | 3.7.0 |
| openwrt | openwrt | 23.05.0 |
| android | 15.0 | |
| rdkcentral | rdk-b | 2024q1 |
| openwrt | openwrt | 21.02.0 |
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| android | 14.0 | |
| linuxfoundation | yocto | 4.0 |
| zephyrproject | zephyr | 3.7.0 |
| openwrt | openwrt | 23.05.0 |
| android | 15.0 | |
| rdkcentral | rdk-b | 2024q1 |
| openwrt | openwrt | 21.02.0 |
A denial-of-service issue in the dns implemenation could cause an infinite loop.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.6 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H | 2.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 9.4 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H | 3.9 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H | 1.8 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |
Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| vulnerabilities@zephyrproject.org | 6.1 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H | 1.8 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| zephyrproject | zephyr | * |