CVE-2026-7656
- EPSS 0.21%
- Veröffentlicht 29.06.2026 22:09:10
- Zuletzt bearbeitet 06.07.2026 19:44:08
The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator p...
CVE-2026-10647
- EPSS 0.13%
- Veröffentlicht 29.06.2026 21:39:08
- Zuletzt bearbeitet 01.07.2026 14:01:19
The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls k_sem_take(&data-sync_sem, K_F...
CVE-2026-10593
- EPSS 0.19%
- Veröffentlicht 28.06.2026 04:28:22
- Zuletzt bearbeitet 06.07.2026 19:43:34
The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields...
CVE-2026-10646
- EPSS 0.27%
- Veröffentlicht 28.06.2026 04:04:11
- Zuletzt bearbeitet 06.07.2026 19:43:57
Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object (struct getaddrinfo_state ai_state) as the user_data of an asynchronous DNS resolver query. The socket layer w...
CVE-2026-10644
- EPSS 0.15%
- Veröffentlicht 28.06.2026 04:02:47
- Zuletzt bearbeitet 06.07.2026 19:43:47
The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds write in its asynchronous (DMA) receive path. When uart_rx_enable() is invoked with a one-byte receive buffer (le...
CVE-2026-10643
- EPSS 0.12%
- Veröffentlicht 27.06.2026 22:59:22
- Zuletzt bearbeitet 06.07.2026 19:43:21
Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary (msg_control) buffer using only the payload length (msg-msg_controllen < pktinfo_len) before writing a full co...
CVE-2026-13351
- EPSS 0.28%
- Veröffentlicht 25.06.2026 16:27:17
- Zuletzt bearbeitet 06.07.2026 19:54:08
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated R...
CVE-2026-10642
- EPSS 0.19%
- Veröffentlicht 24.06.2026 21:32:05
- Zuletzt bearbeitet 02.07.2026 14:23:20
The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to wor...
CVE-2026-10658
- EPSS 0.16%
- Veröffentlicht 22.06.2026 23:58:47
- Zuletzt bearbeitet 06.07.2026 19:40:19
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ...
CVE-2026-10651
- EPSS 0.17%
- Veröffentlicht 22.06.2026 23:54:36
- Zuletzt bearbeitet 06.07.2026 19:40:00
A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attri...