CVE-2026-5067
- EPSS 0.64%
- Veröffentlicht 09.06.2026 06:01:02
- Zuletzt bearbeitet 08.07.2026 13:27:22
A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy th...
CVE-2026-5066
- EPSS 0.32%
- Veröffentlicht 04.06.2026 20:31:25
- Zuletzt bearbeitet 08.07.2026 13:27:57
A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS session cache is enabled, tls_session_store() and tls_session_restore() memcpy the caller...
CVE-2026-5589
- EPSS 0.22%
- Veröffentlicht 04.06.2026 19:54:49
- Zuletzt bearbeitet 08.07.2026 13:28:55
An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs fro...
CVE-2026-5071
- EPSS 0.17%
- Veröffentlicht 30.05.2026 07:15:56
- Zuletzt bearbeitet 08.07.2026 13:30:31
The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where ass...
CVE-2026-5072
- EPSS 0.19%
- Veröffentlicht 22.05.2026 07:00:36
- Zuletzt bearbeitet 08.07.2026 13:31:40
A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval val...
CVE-2026-1681
- EPSS 0.14%
- Veröffentlicht 12.05.2026 05:39:02
- Zuletzt bearbeitet 08.07.2026 13:34:13
Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack. Because the destination is recognized as a local address, both t...
CVE-2026-1677
- EPSS 0.24%
- Veröffentlicht 11.05.2026 06:16:08
- Zuletzt bearbeitet 08.07.2026 13:36:24
Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g. via `mbedtls_ssl_conf_min_tls_version...
CVE-2026-5590
- EPSS 0.2%
- Veröffentlicht 05.04.2026 03:34:56
- Zuletzt bearbeitet 08.07.2026 13:38:21
A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed ...
CVE-2026-1679
- EPSS 0.22%
- Veröffentlicht 27.03.2026 23:21:18
- Zuletzt bearbeitet 31.03.2026 20:35:00
The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send...
CVE-2026-4179
- EPSS 0.18%
- Veröffentlicht 14.03.2026 21:51:33
- Zuletzt bearbeitet 02.04.2026 20:45:41
Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.