Zephyr
Vulnerabilities
120
Known exploited
0
Max CVSS
10
Top EPSS
0.03395
Severity breakdown
Critical
25
High
52
Medium
40
Low
3
Affected version ranges
1.14.0–2.6.02.0.0–2.4.02.1.0–2.4.02.4.0–2.5.02.4.0–2.6.02.5.0–2.6.02.5.0–2.7.02.6.0–2.7.1< 1.14.0< 1.14.2< 3.0.0< 3.4.0< 3.5.0< 3.6.0< 3.7.0≤ 1.14.1≤ 1.14.2≤ 2.2.0≤ 3.0.0≤ 3.1.0≤ 3.2.0≤ 3.3.0≤ 3.4.0≤ 3.5.0
Also matched as (raw): rdk-b,zephyr,android,openwrt,yocto
Top vulnerabilities
CVE-2023-4260Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.
CVE-2026-1678dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.
CVE-2023-6881Possible buffer overflow in is_mount_point
CVE-2023-6749Unchecked length coming from user input in settings shell
CVE-2023-6249Signed to unsigned conversion esp32_ipm_send
CVE-2023-5779can: out of bounds in remove_rx_filter function
CVE-2023-5055Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
CVE-2023-4257Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.
CVE-2023-3725Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem
CVE-2022-3806Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
CVE-2022-2993There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet.
CVE-2021-3625Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363
CVE-2021-3323Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain Integer Underflow (Wrap or Wraparound) (CWE-191). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-89j6-qpxf-pfpc
CVE-2021-3319DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Zephyr versions >= > v2.4.0 contain NULL Pointer Dereference (CWE-476), Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364
CVE-2020-13601Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds Read (CWE-125). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-mm57-9hqw-qh44
CVE-2020-10071The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVE-2020-10070In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVE-2020-10064Improper Input Frame Validation in ieee802154 Processing. Zephyr versions >= v1.14.2, >= v2.2.0 contain Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3gvq-h42f-v3c7
CVE-2020-10062An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution. NCC-ZEP-031 This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.
CVE-2020-10022A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-NCC-016 This issue affects: zephyrproject-rtos zephyr version 2.1.0 and later versions. version 2.2.0 and later versions.
CVE-2018-1000800zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result in CPU Page Fault (error code 0x00000010). This attack appear to be exploitable via a malicious application call the vulnerable kernel APIs (system sys_ring_buf_get() and sys_ring_buf_put).
CVE-2017-14199A buffer overflow has been found in the Zephyr Project's getaddrinfo() implementation in 1.9.0 and 1.10.0.
CVE-2023-4264Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.
CVE-2025-1675The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.
CVE-2024-1638The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read.