CVE-2026-10659
- EPSS 0.09%
- Veröffentlicht 07.07.2026 12:58:11
- Zuletzt bearbeitet 09.07.2026 17:42:30
The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DH...
CVE-2026-10657
- EPSS 0.24%
- Veröffentlicht 05.07.2026 22:23:37
- Zuletzt bearbeitet 08.07.2026 14:55:01
Zephyr's DNS resolver detects mDNS (.local) queries in dns_resolve_name_internal() (subsys/net/lib/dns/resolve.c) with memcmp(strrchr(query, '.'), ".local", 7), which always reads a fixed 7 bytes from the suffix pointer. When the resolved hostname's ...
CVE-2026-10656
- EPSS 0.19%
- Veröffentlicht 05.07.2026 22:23:36
- Zuletzt bearbeitet 08.07.2026 14:59:33
The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_...
CVE-2026-10655
- EPSS 0.25%
- Veröffentlicht 30.06.2026 16:33:54
- Zuletzt bearbeitet 06.07.2026 19:42:27
The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the network socket service, without synchronizing with th...
CVE-2026-10654
- EPSS 0.13%
- Veröffentlicht 30.06.2026 16:29:12
- Zuletzt bearbeitet 06.07.2026 19:41:51
A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISC...
CVE-2026-10653
- EPSS 0.24%
- Veröffentlicht 30.06.2026 16:20:16
- Zuletzt bearbeitet 06.07.2026 19:41:23
The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, i...
CVE-2026-9263
- EPSS 0.2%
- Veröffentlicht 30.06.2026 16:01:34
- Zuletzt bearbeitet 06.07.2026 19:43:06
The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time...
CVE-2026-10652
- EPSS 0.25%
- Veröffentlicht 30.06.2026 15:50:46
- Zuletzt bearbeitet 06.07.2026 19:40:45
Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending p...
CVE-2026-10648
- EPSS 0.11%
- Veröffentlicht 29.06.2026 22:51:27
- Zuletzt bearbeitet 01.07.2026 13:59:27
mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet po...
CVE-2026-8023
- EPSS 0.91%
- Veröffentlicht 29.06.2026 22:15:22
- Zuletzt bearbeitet 06.07.2026 19:37:36
Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 an...