CVE-2026-10645
- EPSS 0.21%
- Veröffentlicht 22.06.2026 23:48:11
- Zuletzt bearbeitet 06.07.2026 19:39:29
Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= ...
CVE-2026-10641
- EPSS 0.28%
- Veröffentlicht 17.06.2026 13:14:06
- Zuletzt bearbeitet 26.06.2026 14:58:10
Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in c...
CVE-2026-10640
- EPSS 0.37%
- Veröffentlicht 16.06.2026 13:28:24
- Zuletzt bearbeitet 26.06.2026 20:50:24
Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned ...
CVE-2026-10639
- EPSS 0.23%
- Veröffentlicht 16.06.2026 13:22:23
- Zuletzt bearbeitet 01.07.2026 14:45:00
In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_dat...
CVE-2026-10638
- EPSS 0.35%
- Veröffentlicht 16.06.2026 13:16:14
- Zuletzt bearbeitet 01.07.2026 14:40:19
subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pk...
CVE-2026-10637
- EPSS 0.3%
- Veröffentlicht 16.06.2026 13:13:16
- Zuletzt bearbeitet 01.07.2026 14:21:41
subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/...
CVE-2026-10636
- EPSS 0.26%
- Veröffentlicht 16.06.2026 13:12:58
- Zuletzt bearbeitet 01.07.2026 14:34:49
In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last refe...
CVE-2026-10635
- EPSS 0.16%
- Veröffentlicht 16.06.2026 05:19:20
- Zuletzt bearbeitet 16.06.2026 20:52:48
On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_doma...
CVE-2026-10634
- EPSS 0.27%
- Veröffentlicht 15.06.2026 14:16:43
- Zuletzt bearbeitet 01.07.2026 14:04:32
Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock...
CVE-2026-5068
- EPSS 0.45%
- Veröffentlicht 09.06.2026 06:20:23
- Zuletzt bearbeitet 08.07.2026 13:25:38
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size small...