MidnightBSD

Advisories for zephyrproject

CVE-2017-14199 HIGH

A buffer overflow has been found in the Zephyr Project's getaddrinfo() implementation in 1.9.0 and 1.10.0.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
zephyrproject zephyr 1.10.0
zephyrproject zephyr 1.9.0
CVE-2017-14201 MEDIUM

Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution. This issue affects: Zephyr shell versions prior to 1.14.0 on all.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2017-14202 MEDIUM

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution. This issue affects: Zephyr shell versions prior to 1.14.0 on all.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-119,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2018-1000800 HIGH

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs (system sys_ring_buf_get() and sys_ring_buf_put).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,

Products Affected

Vendor Product Version
zephyrproject zephyr 1.12.0
CVE-2020-10019 MEDIUM

USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against the buffer size. This could be used by a malicious USB host to exploit the buffer overflow. See NCC-ZEP-002 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
vulnerabilities@zephyrproject.org 8.1 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 1.4 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10021 MEDIUM

Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
vulnerabilities@zephyrproject.org 8.1 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 1.4 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10022 HIGH

A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-NCC-016 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. version 2.2.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
zephyrproject zephyr 2.1.0
zephyrproject zephyr 2.2.0
CVE-2020-10023 MEDIUM

The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel. See NCC-NCC-019 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.9 MEDIUM CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 0.3 6.0
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,CWE-120,

Products Affected

Vendor Product Version
zephyrproject zephyr 1.14.1
zephyrproject zephyr 2.1.0
CVE-2020-10024 HIGH

The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
vulnerabilities@zephyrproject.org 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-697,CWE-697,

Products Affected

Vendor Product Version
zephyrproject zephyr 2.1.0
zephyrproject zephyr 1.14.2
CVE-2020-10027 HIGH

An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
vulnerabilities@zephyrproject.org 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-697,CWE-697,

Products Affected

Vendor Product Version
zephyrproject zephyr 1.14.0
zephyrproject zephyr 2.1.0
CVE-2020-10028 MEDIUM

Multiple syscalls with insufficient argument validation See NCC-ZEP-006 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and later versions. version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
zephyrproject zephyr 1.14.0
zephyrproject zephyr 2.1.0
CVE-2020-10058 MEDIUM

Multiple syscalls in the Kscan subsystem perform insufficient argument validation, allowing code executing in userspace to potentially gain elevated privileges. See NCC-ZEP-006 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
vulnerabilities@zephyrproject.org 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
zephyrproject zephyr 2.1.0
CVE-2020-10059 MEDIUM

The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L 2.2 2.5
vulnerabilities@zephyrproject.org 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
zephyrproject zephyr 2.1.0
zephyrproject zephyr 2.2.0
CVE-2020-10060 MEDIUM

In updatehub_probe, right after JSON parsing is complete, objects\[1] is accessed from the output structure in two different places. If the JSON contained less than two elements, this access would reference unitialized stack memory. This could result in a crash, denial of service, or possibly an information leak. Provided the fix in CVE-2020-10059 is applied, the attack requires compromise of the server. See NCC-ZEP-030 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. version 2.2.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H 1.2 5.2
vulnerabilities@zephyrproject.org 8.0 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 1.3 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-824,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10061 MEDIUM

Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions, and version 1.14.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.1 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 1.4 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10062 HIGH

An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-193,CWE-193,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10063 MEDIUM

A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H 2.2 4.0
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10064 HIGH

Improper Input Frame Validation in ieee802154 Processing. Zephyr versions >= v1.14.2, >= v2.2.0 contain Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3gvq-h42f-v3c7

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
vulnerabilities@zephyrproject.org 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 3.9 3.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-122,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10065 MEDIUM

Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Length Parameter Inconsistency (CWE-130). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hg2w-62p6-g67c

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 3.8 LOW CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L 0.4 3.4
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-130,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10066 LOW

Incorrect Error Handling in Bluetooth HCI core. Zephyr versions >= v1.14.2, >= v2.2.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gc66-xfrc-24qr

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.1 3.6
vulnerabilities@zephyrproject.org 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.0 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10067 HIGH

A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The impact would depend on the underlying system call and can range from denial of service to information leak to memory corruption resulting in code execution within the kernel. See NCC-ZEP-005 This issue affects: zephyrproject-rtos zephyr version 1.14.1 and later versions. version 2.1.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 0.8 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
zephyrproject zephyr 1.14.1
zephyrproject zephyr 2.1.0
CVE-2020-10068 LOW

In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a denial of service. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions, and version 1.14.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
vulnerabilities@zephyrproject.org 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 1.4 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10069 LOW

Zephyr Bluetooth unchecked packet data results in denial of service. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Parameters (CWE-233). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-f6vh-7v4x-8fjp

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-233,NVD-CWE-Other,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10070 HIGH

In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-190,CWE-120,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10071 HIGH

The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,CWE-129,CWE-120,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-10072 MEDIUM

Improper Handling of Insufficient Permissions or Privileges in zephyr. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Insufficient Permissions or Privileges (CWE-280). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-vf79-hqwm-w4xc

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 1.8 3.4
vulnerabilities@zephyrproject.org 5.9 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.5 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-280,NVD-CWE-Other,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-13598 MEDIUM

FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat. Zephyr versions >= v1.14.2, >= v2.3.0 contain Stack-based Buffer Overflow (CWE-121). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7fhv-rgxr-x56h

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L 2.0 3.7
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-13599 LOW

Security problem with settings and littlefs. Zephyr versions >= 1.14.2, >= 2.3.0 contain Incorrect Default Permissions (CWE-276). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5qhg-j6wc-4f6q

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
vulnerabilities@zephyrproject.org 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-276,CWE-276,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-13600 HIGH

Malformed SPI in response for eswifi can corrupt kernel memory. Zephyr versions >= 1.14.2, >= 2.3.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hx4p-j86p-2mhr

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.6 HIGH CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 0.9 6.0
vulnerabilities@zephyrproject.org 7.0 HIGH CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 0.4 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-13601 HIGH

Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds Read (CWE-125). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-mm57-9hqw-qh44

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
vulnerabilities@zephyrproject.org 9.0 CRITICAL CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 2.2 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-13602 LOW

Remote Denial of Service in LwM2M do_write_op_tlv. Zephyr versions >= 1.14.2, >= 2.2.0 contain Improper Input Validation (CWE-20), Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-g9mg-fj58-6fqh

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 1.8 3.6
vulnerabilities@zephyrproject.org 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,CWE-835,CWE-20,CWE-835,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2020-13603 MEDIUM

Integer Overflow in memory allocating functions. Zephyr versions >= 1.14.2, >= 2.4.0 contain Integer Overflow or Wraparound (CWE-190). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94vp-8gc2-rm45

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
vulnerabilities@zephyrproject.org 6.9 MEDIUM CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 0.3 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,CWE-190,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3319 HIGH

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Zephyr versions >= > v2.4.0 contain NULL Pointer Dereference (CWE-476), Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
vulnerabilities@zephyrproject.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H 2.2 4.2

CVSS 2.0

Severity: HIGH

Problem Type: CWE-476,CWE-588,CWE-476,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3320 MEDIUM

Type Confusion in 802154 ACK Frames Handling. Zephyr versions >= v2.4.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-27r3-rxch-2hm7

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
vulnerabilities@zephyrproject.org 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,CWE-843,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3321 MEDIUM

Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=2.4.0 contain Integer Overflow to Buffer Overflow (CWE-680). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-w44j-66g7-xw99

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
vulnerabilities@zephyrproject.org 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H 1.6 5.3

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-680,CWE-191,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3322 LOW

Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. Zephyr versions >= >=2.4.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p86r-gc4r-4mq3

CVSS 2.0

Severity: LOW

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3323 HIGH

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain Integer Underflow (Wrap or Wraparound) (CWE-191). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-89j6-qpxf-pfpc

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
vulnerabilities@zephyrproject.org 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 3.9 3.7

CVSS 2.0

Severity: HIGH

Problem Type: CWE-191,CWE-191,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3329

Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
vulnerabilities@zephyrproject.org 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zephyrproject zephyr 2.4.0
CVE-2021-3330 MEDIUM

RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr. Zephyr versions >= >=2.4.0 contain Out-of-bounds Write (CWE-787). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fj4r-373f-9456

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 2.8 3.7
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3430 MEDIUM

Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. Zephyr versions >= v1.14 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-46h3-hjcq-2jjr

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
vulnerabilities@zephyrproject.org 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,CWE-617,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3431 MEDIUM

Assertion reachable with repeated LL_FEATURE_REQ. Zephyr versions >= v2.5.0 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7548-5m6f-mqv9

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-617,CWE-617,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3432 MEDIUM

Invalid interval in CONNECT_IND leads to Division by Zero. Zephyr versions >= v1.14.0 Divide By Zero (CWE-369). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7364-p4wc-8mj4

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,CWE-369,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3433 LOW

Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Handling of Exceptional Conditions (CWE-703). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 1.8 1.4
vulnerabilities@zephyrproject.org 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-703,NVD-CWE-Other,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3434 MEDIUM

Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Overflow (CWE-121). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
vulnerabilities@zephyrproject.org 4.9 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L 1.4 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-121,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3435 LOW

Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource (CWE-908). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xhg3-gvj6-4rqh

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
vulnerabilities@zephyrproject.org 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 2.5 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-908,CWE-908,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3436 MEDIUM

BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-694,NVD-CWE-Other,

Products Affected

Vendor Product Version
zephyrproject zephyr 2.5.0
zephyrproject zephyr 2.4.0
zephyrproject zephyr 1.14.2
CVE-2021-3454 MEDIUM

Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-130,CWE-617,CWE-617,NVD-CWE-Other,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3455 MEDIUM

Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,CWE-416,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3510 MEDIUM

Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
vulnerabilities@zephyrproject.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-588,NVD-CWE-Other,

Products Affected

Vendor Product Version
zephyrproject zephyr 2.5.0
zephyrproject zephyr 2.6.1
zephyrproject zephyr 1.14.1
zephyrproject zephyr 1.14.0
zephyrproject zephyr 2.6.0
zephyrproject zephyr 2.5.1
zephyrproject zephyr 1.14.3
zephyrproject zephyr 1.14.2
CVE-2021-3581 MEDIUM

Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Access with Incorrect Length Value (CWE-805). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
vulnerabilities@zephyrproject.org 7.0 HIGH CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 0.4 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-805,CWE-1284,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3625 HIGH

Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H 2.8 6.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3835 MEDIUM

Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H 1.6 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr 3.0.0
zephyrproject zephyr *
CVE-2021-3861 HIGH

The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H 1.6 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-122,CWE-787,

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2021-3966

usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2022-0553

There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unencrypted firmware can be retrieved easily.

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2022-1041

In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L 2.3 5.3
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2022-1042

In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L 2.3 5.3

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2022-1841

In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte zero.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L 3.9 2.7
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2022-2741

The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 3.9 4.2
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2022-2993

There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2022-3806

Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-0359

A missing nullptr-check in handle_ra_input can cause a nullptr-deref.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-0396

A malicious / defective bluetooth controller can cause buffer overreads in the most functions that process HCI command responses.

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-0397

A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-0779

At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory layout, further exploitation is possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.7 MEDIUM CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H 1.2 5.5

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-1901

The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 5.9 MEDIUM CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H 1.2 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-1902

The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 5.9 MEDIUM CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H 1.2 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-2234

Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-3725

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4257

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4258

In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisionee.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
vulnerabilities@zephyrproject.org 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N 3.9 4.0

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4259

Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
vulnerabilities@zephyrproject.org 7.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 2.8 4.2

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4260

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
vulnerabilities@zephyrproject.org 6.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L 2.0 3.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4262

Possible buffer overflow  in Zephyr mgmt subsystem when asserts are disabled

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 10.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 3.9 6.0
vulnerabilities@zephyrproject.org 5.1 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 0.9 3.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4263

Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4264

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 2.8 3.7
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4265

Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/netusb/function_rndis... https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/netusb/function_rndis.c#L841

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.4 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 0.9 5.5
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-4424

An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
vulnerabilities@zephyrproject.org 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 2.8 5.5

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-5055

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 2.8 5.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-5139

Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L 1.8 2.5
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-5184

Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H 1.1 5.3
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-5563

The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
vulnerabilities@zephyrproject.org 7.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 2.8 4.2

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-5753

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-5779

can: out of bounds in remove_rx_filter function

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L 1.8 2.5

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-6249

Signed to unsigned conversion esp32_ipm_send

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.0 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 2.5 5.5

Products Affected

Vendor Product Version
zephyrproject zephyr 3.5.0
zephyrproject zephyr *
CVE-2023-6749

Unchecked length coming from user input in settings shell

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.0 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 2.5 5.5

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-6881

Possible buffer overflow in is_mount_point

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.5 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2023-7060

Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-10395

No proper validation of the length of user input in http_server_get_content_type_from_extension.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 3.9 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-11263

When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 9.3 CRITICAL CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.5 6.0

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-1638

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-3077

An malicious BLE device can crash BLE victim device by sending malformed gatt packet

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H 2.1 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-3332

A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-4785

BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-5754

BT: Encryption procedure host vulnerability

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-5931

BT: Unchecked user input in bap_broadcast_assistant

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-6137

BT: Classic: SDP OOB access in get_att_search_list

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-6258

BT: Missing length checks of net_buf in rfcomm_handle_data

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.8 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H 2.1 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-6259

BT: HCI: adv_ext_report Improper discarding in adv_ext_report

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-6442

In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-6443

In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-6444

No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2024-8798

No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
vulnerabilities@zephyrproject.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-10456

A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 2.8 4.2

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-10457

The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-10458

Parameters are not validated or sanitized, and are later used in various internal operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-1673

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 3.9 4.2
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H 3.9 4.2

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-1674

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-1675

The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H 3.9 4.2
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 3.9 5.2

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-20696

In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

Products Affected

Vendor Product Version
google android 14.0
google android 13.0
linuxfoundation yocto 4.0
zephyrproject zephyr 3.7.0
google android 15.0
openwrt openwrt 23.05
rdkcentral rdk-b 2024q1
openwrt openwrt 21.02.0
CVE-2025-20746

In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
google android 14.0
linuxfoundation yocto 4.0
zephyrproject zephyr 3.7.0
openwrt openwrt 23.05.0
google android 15.0
rdkcentral rdk-b 2024q1
openwrt openwrt 21.02.0
CVE-2025-20747

In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
google android 14.0
linuxfoundation yocto 4.0
zephyrproject zephyr 3.7.0
openwrt openwrt 23.05.0
google android 15.0
rdkcentral rdk-b 2024q1
openwrt openwrt 21.02.0
CVE-2025-2962

A denial-of-service issue in the dns implemenation could cause an infinite loop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2025-7403

Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.6 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2026-1678

dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 3.9 5.5

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2026-1679

The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H 1.8 5.5

Products Affected

Vendor Product Version
zephyrproject zephyr *
CVE-2026-4179

Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
vulnerabilities@zephyrproject.org 6.1 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H 1.8 4.2

Products Affected

Vendor Product Version
zephyrproject zephyr *