Zephyrproject

Zephyr

157 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.64%
  • Veröffentlicht 09.06.2026 06:01:02
  • Zuletzt bearbeitet 08.07.2026 13:27:22

A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy th...

Exploit
  • EPSS 0.32%
  • Veröffentlicht 04.06.2026 20:31:25
  • Zuletzt bearbeitet 08.07.2026 13:27:57

A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller...

Exploit
  • EPSS 0.22%
  • Veröffentlicht 04.06.2026 19:54:49
  • Zuletzt bearbeitet 08.07.2026 13:28:55

An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs fro...

Exploit
  • EPSS 0.17%
  • Veröffentlicht 30.05.2026 07:15:56
  • Zuletzt bearbeitet 08.07.2026 13:30:31

The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where ass...

Exploit
  • EPSS 0.19%
  • Veröffentlicht 22.05.2026 07:00:36
  • Zuletzt bearbeitet 08.07.2026 13:31:40

A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval val...

Exploit
  • EPSS 0.14%
  • Veröffentlicht 12.05.2026 05:39:02
  • Zuletzt bearbeitet 08.07.2026 13:34:13

Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both t...

Exploit
  • EPSS 0.24%
  • Veröffentlicht 11.05.2026 06:16:08
  • Zuletzt bearbeitet 08.07.2026 13:36:24

Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version...

Exploit
  • EPSS 0.2%
  • Veröffentlicht 05.04.2026 03:34:56
  • Zuletzt bearbeitet 08.07.2026 13:38:21

A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed ...

Exploit
  • EPSS 0.22%
  • Veröffentlicht 27.03.2026 23:21:18
  • Zuletzt bearbeitet 31.03.2026 20:35:00

The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send...

Exploit
  • EPSS 0.18%
  • Veröffentlicht 14.03.2026 21:51:33
  • Zuletzt bearbeitet 02.04.2026 20:45:41

Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.