Zephyrproject Zephyr

Zephyr PL011 UART Driver Unbounded Loop Causing CS DoS v4.1.0v4.4.0
CVE-2026-10642 6.5 - Medium - June 24, 2026

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's level-transition TX-interrupt behavior. When CTS hardware flow control is enabled (devicetree hw-flow-control or runtime UART_CFG_FLOW_CTRL_RTS_CTS) and the wired serial peer de-asserts CTS, the controller stops draining the TX FIFO; pl011_fifo_fill() then returns 0 on every call while the application still has pending data and therefore never disables the TX interrupt. The loop condition never clears, so the thread that called uart_irq_tx_enable() (e.g. h4_send() in the Bluetooth HCI H4 driver) spins indefinitely, hanging the executing context and stalling the transport a denial of service (CWE-835). An attacker controlling the device attached to the UART's CTS line can trigger the hang by withholding CTS during transmission. Impact is availability only; there is no memory-safety, confidentiality, or integrity consequence. The vulnerable loop was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

Infinite Loop

Zephyr HFP_HF CIND Parser OOB Write (v4.4.0)
CVE-2026-10641 7.1 - High - June 17, 2026

Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.

Memory Corruption

Zephyr IPv6 ND Use-After-Free (v3.3.0v4.4.0)
CVE-2026-10640 4.2 - Medium - June 16, 2026

Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network stack owns and releases the packet's reference (the L2/driver send unrefs it, e.g. ethernet_send - net_pkt_unref), so for a freshly allocated packet with refcount 1 the net_pkt slab block can be freed before the statistics line runs (synchronously when no TX queue thread is configured, or via a concurrent TX thread otherwise). The subsequent net_pkt_iface(pkt) reads pkt-iface from the freed slab block, and with CONFIG_NET_STATISTICS_PER_INTERFACE enabled that loaded pointer is dereferenced to increment iface-stats.icmp.sent, a use-after-free (CWE-416). If the slab block was reallocated in the meantime the read/increment targets unrelated or attacker-influenced memory, yielding corrupted statistics, a fault/crash (denial of service), or potential limited memory corruption. The vulnerable Neighbor Advertisement path is reachable by any unauthenticated on-link node simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 enabled (handle_ns_input - net_ipv6_send_na). Affected from v3.3.0 through v4.4.0; the fix uses the already-available iface argument instead of touching the sent packet. Configurations without per-interface statistics dereference only a global counter and are not affected by the memory-safety aspect.

Dangling pointer

Zephyr OS 4.4 UA-READ/WRITE via ICMPv4 Echo-Reply Stats
CVE-2026-10639 4.8 - Medium - June 16, 2026

In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX path (net_if_try_queue_tx - net_if_tx - L2/driver send, or the asynchronous net_if_tx_thread), which can unref it to refcount 0 and return the struct net_pkt to its slab (net_pkt_unref - k_mem_slab_free) before the stats line runs. net_core.c documents this exact contract ('the pkt might contain garbage already ... do not use pkt after that call'). The post-send net_pkt_iface(reply) therefore reads reply-iface out of a freed (and possibly already reallocated) net_pkt, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the stats macro additionally increments a counter through that value, i.e. a dereference/write through a stale or recycled-slot pointer. The path is reached unauthenticated by any remote host that pings the device (net_icmpv4_input - net_icmp_call_ipv4_handlers - icmpv4_handle_echo_request) and is gated on CONFIG_NET_STATISTICS_ICMP. Impact is a probabilistic read of recycled packet memory plus a possible wild-pointer write under a timing race, leading most likely to corrupted interface statistics or a remotely triggerable crash (DoS). The defect was introduced in 2019 (v1.14) and is present through v4.4.0. The companion change in net_icmpv4_send_error() is not a use-after-free because it reads net_pkt_iface(orig), the caller-owned received packet, which stays alive across the send. The fix caches the interface pointer from the live received packet before sending and uses it for the post-send stats updates.

Dangling pointer

Zephyr v4.2-v4.4 ICMPv6 Use-After-Free in net_pkt_iface() leading to DoS
CVE-2026-10638 5.9 - Medium - June 16, 2026

subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send path (net_try_send_data - net_if_tx) unreferences and may free the packet back to its memory slab before returning synchronously in the RX thread when no TX queue is configured (CONFIG_NET_TC_TX_COUNT == 0), and asynchronously the driver/L2 may already have freed it otherwise. net_pkt_iface() therefore dereferences a freed (and possibly reused) net_pkt; with CONFIG_NET_STATISTICS_PER_INTERFACE the stale iface pointer is further dereferenced and written through (iface-stats.icmp.sent++), turning the use-after-free read into a write through an attacker-influenceable pointer. The core stack already documents this hazard in net_core.c ("do not use pkt after that call") and caches iface before sending; the ICMPv6 callers did not. An unauthenticated remote attacker triggers the flaw simply by sending an ICMPv6 Echo Request (ping) or an IPv6 packet that elicits an ICMPv6 error (unknown next header, fragment reassembly timeout, destination unreachable), leading to denial of service via crash and potential memory corruption. Affected: Zephyr networking with CONFIG_NET_NATIVE_IPV6, roughly v4.2.0 through v4.4.0. The fix caches the interface pointer before sending and uses it for all statistics updates; the sibling commit 86e21665d46 fixes the identical bug in ICMPv4.

Dangling pointer

Zephyr IPv6 MLD Send OOB Packet Access Leading to DoS
CVE-2026-10637 5.9 - Medium - June 16, 2026

subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after that call'), a successful send transfers ownership of the net_pkt and the L2 driver frees it (e.g. ethernet_send() unrefs the packet on success, subsys/net/l2/ethernet/ethernet.c:790), returning it to its k_mem_slab. The subsequent net_pkt_iface(pkt) is therefore a read of a freed object; the recovered interface pointer is then dereferenced and incremented by the per-interface statistics path (net_stats.h UPDATE_STAT/SET_STAT) when CONFIG_NET_STATISTICS_PER_INTERFACE is enabled. If the freed slot is concurrently reallocated, pkt-iface may read back as NULL (NULL-pointer dereference / crash) or as a stale/garbage pointer (stray increment write / memory corruption). The path is reachable remotely on the local link without authentication: handle_mld_query() (registered for NET_ICMPV6_MLD_QUERY) responds to a valid MLDv2 General Query (unspecified multicast address, hop limit 1) by calling send_mld_report() - mld_send(). The result is a remotely triggerable denial of service of the networking stack, with a narrow possibility of memory corruption. The fix caches the interface in a local before sending and no longer touches the packet after net_send_data(). The IPv4/IGMP sibling (igmp_send) already used the corrected pattern.

Dangling pointer

Zephyr IPv4 IGMP UAF in igmp_send before 4.4.0
CVE-2026-10636 3.7 - Low - June 16, 2026

In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_iface(pkt) after the packet had been handed to net_send_data(). On the successful-send path the packet's last reference may already have been released by the L2 driver or by the network stack's TX handling (synchronously in the default NET_TC_TX_COUNT=0 immediate-transmit configuration), returning the net_pkt slab block to its free list. The subsequent net_pkt_iface(pkt) dereferences the freed packet, a use-after-free read; with CONFIG_NET_STATISTICS_PER_INTERFACE the resulting dangling interface pointer is further dereferenced for a statistics-counter write. The IGMP send path is reachable without authentication from inbound IPv4 IGMP membership queries addressed to 224.0.0.1 (net_ipv4_igmp_input - send_igmp_report/send_igmp_v3_report - igmp_send), as well as from local multicast join/leave/rejoin operations. Realistic impact is undefined behavior and potential denial of service (sporadic crash or stats corruption); a controllable write requires the asynchronous TX path plus a concurrent slab reuse. The flaw was introduced with IGMPv2 support and affects releases from v2.6.0 through v4.4.0. The fix caches the interface pointer before sending. Note the analogous IPv6 MLD path (mld_send in subsys/net/ip/ipv6_mld.c) retains the same unfixed pattern.

Dangling pointer

Zephyr v4.4.0 Xtensa Domain Deinit Bug: Dangling List Causes MMU Crash
CVE-2026-10635 6.3 - Medium - June 16, 2026

On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa_domain_list. The freed/deinitialized domain therefore remained linked into the global list as a dangling pointer into caller-owned storage that may then be freed or reused. Any subsequent arch_mem_map()/arch_mem_unmap() operation (widely invoked by kernel memory-mapping and demand-paging code) traverses the stale node and dereferences domain-ptables: at minimum a NULL pointer dereference causing a fatal MMU exception (denial of service), and if the k_mem_domain storage has been freed or reused, a use-after-free in which a stale/controlled ptables value is dereferenced and written through during the page-table walk (l2_page_table_map writes l1_table[...] and l2_table[...], and xtensa_mmu_compute_domain_regs writes into the domain struct and the L1 table), yielding page-table memory corruption that can undermine userspace isolation. The vulnerable path is reachable only from privileged kernel/supervisor code (k_mem_domain_deinit is not a syscall), not directly from unprivileged user threads or remotely. Affected: Zephyr v4.4.0 (the Xtensa memory-domain de-initialization feature was introduced in commit 3032b58f52d and first shipped in v4.4.0); fixed on main by adding sys_slist_find_and_remove() in arch_mem_domain_deinit(). The Xtensa MPU path is unaffected.

Dangling pointer

Zephyr OS v4.4.0 Use-After-Free in net_tcp_foreach TCP stack
CVE-2026-10634 4.8 - Medium - June 15, 2026

Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAINER_SAFE macro, which caches a pointer to the next list node. Prior to this fix the function released tcp_lock while invoking the per-connection callback and re-acquired it afterwards. During that window a concurrent tcp_conn_release(), running on the dedicated TCP work-queue thread when a connection's reference count drops to zero (e.g. a remote peer closing or resetting the connection), can remove and k_mem_slab_free() the cached next connection. When the iterator advances it dereferences the freed (and possibly reallocated) slab memory a use-after-free that can crash the system (denial of service) and, if the slot has been reused, cause the callback to operate on an attacker-influenced object (potential information disclosure or further fault). net_tcp_foreach() is reached in production via the 'net conn' network shell command and via net_tcp_close_all_for_iface() on interface-down; the freeing side is driven by ordinary TCP traffic. The fix moves the connection/context teardown in tcp_conn_release() inside the tcp_lock critical section and keeps tcp_lock held across the callback in net_tcp_foreach(). The defect was introduced with the modern (TCP2) stack in 2020 and affects releases up to and including v4.4.0.

Dangling pointer

Android Device Admin API OOB Write LPE via Physical Access
CVE-2025-20696 - August 04, 2025

In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801.

Memory Corruption

Buffer Overflow in dns_copy_qname: Untrusted Memcpy in dns_pack.c
CVE-2025-1675 9.1 - Critical - February 25, 2025

The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.

OOB Read from Malformed Packets Input Validation Flaw
CVE-2025-1674 8.2 - High - February 25, 2025

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

BIND OOB Read via Empty DNS Packet CVE-2025-1673
CVE-2025-1673 8.2 - High - February 25, 2025

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

Zephyr Bluetooth OTS Client Input Validation Vulnerability
CVE-2024-8798 7.5 - High - December 16, 2024

No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

Heap-based Buffer Overflow

RISC-V Kernel: Global Pointer (GP) Relative Addressing Misconfiguration
CVE-2024-11263 8.4 - High - November 15, 2024

When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols.

Zephyr OTS Client Length Validation Vulnerability
CVE-2024-6444 6.5 - Medium - October 04, 2024

No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

Memory Corruption

Zephyr UTF8 Truncation Bug: Pointer Before String on Empty Input
CVE-2024-6443 6.5 - Medium - October 04, 2024

In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.

Out-of-bounds Read

Zephyr RTOS Bluetooth ASCS Buffer Overflow
CVE-2024-6442 6.5 - Medium - October 04, 2024

In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.

Memory Corruption

BT HCI: adv_ext_report Improper Discarding Vulnerability
CVE-2024-6259 7.6 - High - September 13, 2024

BT: HCI: adv_ext_report Improper discarding in adv_ext_report

Memory Corruption

BlueZ BT Classic SDP OOB Access via get_att_search_list
CVE-2024-6137 7.6 - High - September 13, 2024

BT: Classic: SDP OOB access in get_att_search_list

Stack Overflow

BT:Classic Missing Buf Length Checks
CVE-2024-6135 6.5 - Medium - September 13, 2024

BT:Classic: Multiple missing buf length checks

Divide By Zero

BT: Unchecked Input in bap_broadcast_assistant (CVE-2024-5931)
CVE-2024-5931 6.3 - Medium - September 13, 2024

BT: Unchecked user input in bap_broadcast_assistant

Improper Validation of Specified Quantity in Input

BT Host-side Encryption Procedure Vulnerability
CVE-2024-5754 8.2 - High - September 13, 2024

BT: Encryption procedure host vulnerability

Reliance on Untrusted Inputs in a Security Decision

Linux Kernel RFCOMM Missing net_buf Length Check (CVE20246258)
CVE-2024-6258 6.8 - Medium - September 13, 2024

BT: Missing length checks of net_buf in rfcomm_handle_data

Heap-based Buffer Overflow

Bluetooth LL_CONNECTION_UPDATE_IND Division-by-Zero Crash
CVE-2024-4785 7.6 - High - August 19, 2024

BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero

Divide By Zero

BLE DoS via malicious packet sequencing
CVE-2024-3332 6.5 - Medium - July 03, 2024

A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device

NULL Pointer Dereference

BLE Device Crash via Malformed GATT Packet (CVE-2024-3077)
CVE-2024-3077 6.5 - Medium - March 29, 2024

An malicious BLE device can crash BLE victim device by sending malformed gatt packet

Integer underflow

Zephyr OS IP Stack mishandles packets with 127.0.0.1 src on external interfaces
CVE-2023-7060 7.5 - High - March 15, 2024

Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.

util-linux libmount buffer overflow via is_mount_point
CVE-2023-6881 9.8 - Critical - February 29, 2024

Possible buffer overflow in is_mount_point

Classic Buffer Overflow

CVE-2024-1638: Zephyr GATT LESC Perms Bypass Encr/Auth
CVE-2024-1638 9.1 - Critical - February 19, 2024

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read.

Signed-to-Unsigned Conversion in esp32_ipm_send (ESP32)
CVE-2023-6249 9.8 - Critical - February 18, 2024

Signed to unsigned conversion esp32_ipm_send

Incorrect Type Conversion or Cast

Linux CAN Stack OOB in remove_rx_filter (CVE20235779)
CVE-2023-5779 9.8 - Critical - February 18, 2024

can: out of bounds in remove_rx_filter function

Memory Corruption

Unchecked Length in Settings Shell Exploits Buffer Overflow (BUFOVF)
CVE-2023-6749 9.8 - Critical - February 18, 2024

Unchecked length coming from user input in settings shell

Memory Corruption

BLE Buffer Overflow in Zephyr le_ecred_reconf_req (CVE-2023-5055)
CVE-2023-5055 9.8 - Critical - November 21, 2023

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.

Memory Corruption

Buffer Overflow in Zephyr OS BLE Advertising Packet Parser
CVE-2023-4424 8.8 - High - November 21, 2023

An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device.

Classic Buffer Overflow

Zephyr STM32 Crypto driver buffer overflow vulnerability
CVE-2023-5139 7.8 - High - October 26, 2023

Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver

Classic Buffer Overflow

Zephyr BT: Buffer overflow in hci_core.c due to disabled asserts
CVE-2023-5753 8.8 - High - October 25, 2023

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Classic Buffer Overflow

Zephyr WiFi Shell Buffer Overflow: unchecked input length
CVE-2023-4257 9.8 - Critical - October 13, 2023

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.

Incorrect Calculation of Buffer Size

Zephyr nRF 15.4 Driver Buffer Overflow (CVE-2023-4263)
CVE-2023-4263 8.8 - High - October 13, 2023

Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver

Classic Buffer Overflow

Linux Kernel: SJA1000 CAN Driver Fatal Exception via k_sleep() in IRQ Context
CVE-2023-5563 7.5 - High - October 13, 2023

The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception.

Zephyr CAN bus subsystem buffer overflow CVE-2023-3725
CVE-2023-3725 9.8 - Critical - October 06, 2023

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem

Memory Corruption

Zephyr IPM Drivers: SignedtoUnsigned Conversion + Buffer Overflows
CVE-2023-5184 8.8 - High - September 27, 2023

Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.

Classic Buffer Overflow

Zephyr FUSE FS Off-by-One Buffer Overflow
CVE-2023-4260 10 - Critical - September 27, 2023

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.

Classic Buffer Overflow

Zephyr OS Bluetooth buf ovfl vuln
CVE-2023-4264 9.6 - Critical - September 27, 2023

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.

Classic Buffer Overflow

Zephyr eS-WiFi Driver Buffer Overflow
CVE-2023-4259 8.8 - High - September 26, 2023

Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code.

Classic Buffer Overflow

Bluetooth Mesh OOB Public Key Provisional Replay Attack
CVE-2023-4258 6.5 - Medium - September 25, 2023

In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisionee.

Zephyr GATT SR int overflow OOB write remote code exec
CVE-2023-35673 8.8 - High - September 11, 2023

In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Integer Overflow or Wraparound

Zephyr OS USB Driver Buffer Overflow CVE-2023-4265
CVE-2023-4265 6.8 - Medium - August 12, 2023

Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/device/usb_dc_native_posix.c#L359 https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/netusb/function_rndis... https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/usb/device/class/netusb/function_rndis.c#L841

Classic Buffer Overflow

Zephyr OS RCE via BT Controller Union Variant Confusion
CVE-2023-2234 8.8 - High - July 10, 2023

Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host.

Object Type Confusion

Linux Kernel RA Input Nullptr Deref (CVE-2023-0359)
CVE-2023-0359 7.5 - High - July 10, 2023

A missing nullptr-check in handle_ra_input can cause a nullptr-deref.

NULL Pointer Dereference