Zephyrproject

Zephyr

157 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.21%
  • Veröffentlicht 29.06.2026 22:09:10
  • Zuletzt bearbeitet 06.07.2026 19:44:08

The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator p...

Exploit
  • EPSS 0.13%
  • Veröffentlicht 29.06.2026 21:39:08
  • Zuletzt bearbeitet 01.07.2026 14:01:19

The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_F...

Exploit
  • EPSS 0.19%
  • Veröffentlicht 28.06.2026 04:28:22
  • Zuletzt bearbeitet 06.07.2026 19:43:34

The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields...

Exploit
  • EPSS 0.27%
  • Veröffentlicht 28.06.2026 04:04:11
  • Zuletzt bearbeitet 06.07.2026 19:43:57

Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer w...

Exploit
  • EPSS 0.15%
  • Veröffentlicht 28.06.2026 04:02:47
  • Zuletzt bearbeitet 06.07.2026 19:43:47

The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous (DMA) receive path. When uart_rx_enable() is invoked with a one-byte receive buffer (le...

  • EPSS 0.12%
  • Veröffentlicht 27.06.2026 22:59:22
  • Zuletzt bearbeitet 06.07.2026 19:43:21

Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full co...

Exploit
  • EPSS 0.28%
  • Veröffentlicht 25.06.2026 16:27:17
  • Zuletzt bearbeitet 06.07.2026 19:54:08

Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated R...

Exploit
  • EPSS 0.19%
  • Veröffentlicht 24.06.2026 21:32:05
  • Zuletzt bearbeitet 02.07.2026 14:23:20

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to wor...

  • EPSS 0.16%
  • Veröffentlicht 22.06.2026 23:58:47
  • Zuletzt bearbeitet 06.07.2026 19:40:19

A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ...

Exploit
  • EPSS 0.17%
  • Veröffentlicht 22.06.2026 23:54:36
  • Zuletzt bearbeitet 06.07.2026 19:40:00

A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attri...