Zephyrproject

Zephyr

157 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.09%
  • Veröffentlicht 07.07.2026 12:58:11
  • Zuletzt bearbeitet 09.07.2026 17:42:30

The Dhara flash translation layer disk driver (drivers/disk/ftl_dhara.c) implemented the dhara_nand_ callbacks so that, on a flash error, the error code was written unconditionally through the caller-supplied dhara_error_t err pointer (e.g. *err = DH...

Exploit
  • EPSS 0.24%
  • Veröffentlicht 05.07.2026 22:23:37
  • Zuletzt bearbeitet 08.07.2026 14:55:01

Zephyr's DNS resolver detects mDNS (.local) queries in dns_resolve_name_internal() (subsys/net/lib/dns/resolve.c) with memcmp(strrchr(query, '.'), ".local", 7), which always reads a fixed 7 bytes from the suffix pointer. When the resolved hostname's ...

Exploit
  • EPSS 0.19%
  • Veröffentlicht 05.07.2026 22:23:36
  • Zuletzt bearbeitet 08.07.2026 14:59:33

The MAX32xxx USB device controller driver (drivers/usb/udc/udc_max32.c, compatible adi_max32_usbhs) dereferenced an endpoint buffer in its OUT and IN transfer-completion handlers without checking it for NULL. udc_event_xfer_out_done() called net_buf_...

Exploit
  • EPSS 0.25%
  • Veröffentlicht 30.06.2026 16:33:54
  • Zuletzt bearbeitet 06.07.2026 19:42:27

The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from the calling thread immediately after detaching it from the network socket service, without synchronizing with th...

Exploit
  • EPSS 0.13%
  • Veröffentlicht 30.06.2026 16:29:12
  • Zuletzt bearbeitet 06.07.2026 19:41:51

A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISC...

Exploit
  • EPSS 0.24%
  • Veröffentlicht 30.06.2026 16:20:16
  • Zuletzt bearbeitet 06.07.2026 19:41:23

The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block ref_count at the start of each variable/heap data allocation -- with plain non-atomic C operators (buf->ref++, i...

Exploit
  • EPSS 0.2%
  • Veröffentlicht 30.06.2026 16:01:34
  • Zuletzt bearbeitet 06.07.2026 19:43:06

The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time...

Exploit
  • EPSS 0.25%
  • Veröffentlicht 30.06.2026 15:50:46
  • Zuletzt bearbeitet 06.07.2026 19:40:45

Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the fixed RR header (type, class, TTL, rdlength) and accepted any attacker-declared rdlength, including one extending p...

Exploit
  • EPSS 0.11%
  • Veröffentlicht 29.06.2026 22:51:27
  • Zuletzt bearbeitet 01.07.2026 13:59:27

mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) against the shared MCUmgr packet po...

Exploit
  • EPSS 0.91%
  • Veröffentlicht 29.06.2026 22:15:22
  • Zuletzt bearbeitet 06.07.2026 19:37:36

Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 an...