Zephyrproject

Zephyr

157 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.21%
  • Veröffentlicht 22.06.2026 23:48:11
  • Zuletzt bearbeitet 06.07.2026 19:39:29

Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= ...

Exploit
  • EPSS 0.28%
  • Veröffentlicht 17.06.2026 13:14:06
  • Zuletzt bearbeitet 26.06.2026 14:58:10

Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in c...

Exploit
  • EPSS 0.37%
  • Veröffentlicht 16.06.2026 13:28:24
  • Zuletzt bearbeitet 26.06.2026 20:50:24

Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned ...

Exploit
  • EPSS 0.23%
  • Veröffentlicht 16.06.2026 13:22:23
  • Zuletzt bearbeitet 01.07.2026 14:45:00

In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_dat...

  • EPSS 0.35%
  • Veröffentlicht 16.06.2026 13:16:14
  • Zuletzt bearbeitet 01.07.2026 14:40:19

subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pk...

Exploit
  • EPSS 0.3%
  • Veröffentlicht 16.06.2026 13:13:16
  • Zuletzt bearbeitet 01.07.2026 14:21:41

subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/...

Exploit
  • EPSS 0.26%
  • Veröffentlicht 16.06.2026 13:12:58
  • Zuletzt bearbeitet 01.07.2026 14:34:49

In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last refe...

Exploit
  • EPSS 0.16%
  • Veröffentlicht 16.06.2026 05:19:20
  • Zuletzt bearbeitet 16.06.2026 20:52:48

On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_doma...

Exploit
  • EPSS 0.27%
  • Veröffentlicht 15.06.2026 14:16:43
  • Zuletzt bearbeitet 01.07.2026 14:04:32

Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock...

Exploit
  • EPSS 0.45%
  • Veröffentlicht 09.06.2026 06:20:23
  • Zuletzt bearbeitet 08.07.2026 13:25:38

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size small...