threat
engine
.sh
Back
·
··:··
Home
/
Product
/
zephyrproject zephyr
Product
zephyrproject zephyr
119 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-1679
<= 4.3.0
The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sen
7.3
HIGH
CVE-2026-4179
<= 4.3.0
Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.
6.1
MEDIUM
CVE-2026-0849
all versions
Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing
3.8
LOW
CVE-2026-1678
<= 4.3.0
dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size b
9.4
CRITICAL
CVE-2026-20435
all versions
In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information dis
4.6
MEDIUM
CVE-2025-20747
all versions
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of
6.7
MEDIUM
CVE-2025-20746
all versions
In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of
6.7
MEDIUM
CVE-2025-7403
<= 4.1.0
Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacke
7.6
HIGH
CVE-2025-10458
<= 4.1.0
Parameters are not validated or sanitized, and are later used in various internal operations.
7.6
HIGH
CVE-2025-10457
<= 4.1.0
The function responsible for handling BLE connection responses does not verify whether a response is expected-that is, whether the
4.3
MEDIUM
CVE-2025-10456
<= 4.1.0
A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an
7.1
HIGH
CVE-2025-20696
all versions
In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if
6.8
MEDIUM
CVE-2025-2962
<= 4.1.0
A denial-of-service issue in the dns implemenation could cause an infinite loop.
7.5
HIGH
CVE-2025-1675
<= 4.0.0
The function dns_copy_qname in dns_pack.c performs a memcpy operation with an untrusted field and does not check if the s
8.2
HIGH
CVE-2025-1674
<= 4.0
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
8.2
HIGH
CVE-2025-1673
<= 4.0
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or
8.2
HIGH
CVE-2024-10395
<= 3.7.0
No proper validation of the length of user input in http_server_get_content_type_from_extension.
8.6
HIGH
CVE-2024-8798
<= 3.7.0
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
7.5
HIGH
CVE-2024-11263
<= 3.7.0
When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start o
9.3
CRITICAL
CVE-2024-6444
<= 3.6.0
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
6.3
MEDIUM
CVE-2024-6443
<= 3.6.0
In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.
6.3
MEDIUM
CVE-2024-6442
<= 3.6.0
In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.
6.3
MEDIUM
CVE-2024-6259
<= 3.6.0
BT: HCI: adv_ext_report Improper discarding in adv_ext_report
7.6
HIGH
CVE-2024-6137
<= 3.6.0
BT: Classic: SDP OOB access in get_att_search_list
7.6
HIGH
CVE-2024-6135
<= 3.6.0
BT:Classic: Multiple missing buf length checks
7.6
HIGH
CVE-2024-5931
<= 3.6.0
BT: Unchecked user input in bap_broadcast_assistant
6.3
MEDIUM
CVE-2024-6258
< 3.6.0
BT: Missing length checks of net_buf in rfcomm_handle_data
6.8
MEDIUM
CVE-2024-5754
< 3.6.0
BT: Encryption procedure host vulnerability
8.2
HIGH
CVE-2024-4785
< 3.7.0
BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero
7.6
HIGH
CVE-2024-3332
<= 3.6.0
A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device
6.5
MEDIUM
CVE-2024-3077
<= 3.6.0
An malicious BLE device can crash BLE victim device by sending malformed gatt packet
6.8
MEDIUM
CVE-2023-7060
< 3.6.0
Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 12
8.6
HIGH
CVE-2023-6881
<= 3.5.0
Possible buffer overflow in is_mount_point
7.3
HIGH
CVE-2024-1638
<= 3.5.0
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: At
8.2
HIGH
CVE-2023-6249
< 3.5.0
Signed to unsigned conversion esp32_ipm_send
8.0
HIGH
CVE-2023-5779
<= 3.5.0
can: out of bounds in remove_rx_filter function
4.4
MEDIUM
CVE-2023-6749
<= 3.5.0
Unchecked length coming from user input in settings shell
8.0
HIGH
CVE-2023-5055
<= 3.4.0
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req.
8.3
HIGH
CVE-2023-4424
<= 3.4.0
An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to D
8.3
HIGH
CVE-2023-5139
<= 3.4.0
Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver
4.4
MEDIUM
CVE-2023-5753
<= 3.4.0
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
6.3
MEDIUM
CVE-2023-4257
<= 3.4.0
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows.
7.6
HIGH
CVE-2023-4263
<= 3.4.0
Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver
7.6
HIGH
CVE-2023-5563
<= 3.4.0
The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BU
7.1
HIGH
CVE-2023-3725
<= 3.4.0
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem
7.6
HIGH
CVE-2023-5184
<= 3.4.0
Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IP
7.0
HIGH
CVE-2023-4264
<= 3.4.0
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem.
7.1
HIGH
CVE-2023-4260
<= 3.4.0
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system.
6.3
MEDIUM
CVE-2023-4259
<= 3.4.0
Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code.
7.1
HIGH
CVE-2023-4258
< 3.4.0
In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and
8.6
HIGH
CVE-2023-4265
<= 3.3.0
Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproject-rtos/zephyr/blob/main/driv
6.4
MEDIUM
CVE-2023-2234
<= 3.3.0
Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host.
6.8
MEDIUM
CVE-2023-1902
<= 3.3.0
The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a
5.9
MEDIUM
CVE-2023-1901
<= 3.3.0
The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may all
5.9
MEDIUM
CVE-2023-0359
<= 3.2.0
A missing nullptr-check in handle_ra_input can cause a nullptr-deref.
5.9
MEDIUM
CVE-2023-0779
<= 3.2.0
At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory
6.7
MEDIUM
CVE-2021-3329
all versions
Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack
9.6
CRITICAL
CVE-2023-0396
<= 3.2.0
A malicious / defective bluetooth controller can cause buffer overreads in the most functions that process HCI command responses.
6.8
MEDIUM
CVE-2022-3806
<= 3.2.0
Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
9.8
CRITICAL
CVE-2023-0397
<= 3.2.0
A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.
9.6
CRITICAL
CVE-2021-3966
< 3.0.0
usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem.
9.6
CRITICAL
CVE-2022-0553
< 3.0.0
There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unenc
6.5
MEDIUM
CVE-2022-2993
<= 3.1.0
There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all r
8.6
HIGH
CVE-2022-2741
<= 3.1.0
The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable nod
8.2
HIGH
CVE-2022-1841
<= 3.0.0
In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a
7.2
HIGH
CVE-2022-1042
<= 3.0.0
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
8.2
HIGH
CVE-2022-1041
<= 3.0.0
In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
8.2
HIGH
CVE-2021-3435
>= 2.4.0 and < 2.6.0
Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource (CWE-908). For more informatio
4.0
MEDIUM
CVE-2021-3434
>= 2.5.0 and < 2.6.0
Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Overflow (CWE-121). For more info
4.9
MEDIUM
CVE-2021-3433
>= 2.5.0 and < 2.6.0
Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Handling of Exceptional Condit
4.0
MEDIUM
CVE-2021-3432
>= 1.14.0 and < 2.6.0
Invalid interval in CONNECT_IND leads to Division by Zero. Zephyr versions >= v1.14.0 Divide By Zero (CWE-369). For more informati
4.3
MEDIUM
CVE-2021-3431
>= 2.5.0 and < 2.6.0
Assertion reachable with repeated LL_FEATURE_REQ. Zephyr versions >= v2.5.0 contain Reachable Assertion (CWE-617). For more inform
4.3
MEDIUM
CVE-2021-3430
>= 1.14.0 and < 2.6.0
Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. Zephyr versions >= v1.14 contain Reachable Assertion (CWE-617). For mor
6.5
MEDIUM
CVE-2021-3861
>= 2.6.0 and <= 2.7.1
The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow
8.2
HIGH
CVE-2021-3835
>= 2.6.0 and < 2.7.1
Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information,
8.2
HIGH
CVE-2021-3455
>= 2.4.0 and < 2.6.0
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Fre
4.3
MEDIUM
CVE-2021-3454
>= 2.4.0 and < 2.6.0
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Paramete
4.3
MEDIUM
CVE-2021-3330
>= 2.4.0 and < 2.5.0
RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr. Zephyr vers
7.1
HIGH
CVE-2021-3323
>= 2.4.0 and < 2.5.0
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain Integer Underflow (Wrap or Wr
8.3
HIGH
CVE-2021-3322
>= 2.4.0 and < 2.5.0
Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. Zephyr versions >= >=2.4.0 contain NULL Pointer Derefere
6.5
MEDIUM
CVE-2021-3321
>= 2.4.0 and < 2.5.0
Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=2.4.0 contain Integer Overflow
7.5
HIGH
CVE-2021-3625
>= 2.5.0 and < 2.7.0
Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more informa
9.6
CRITICAL
CVE-2021-3581
>= 2.5.0 and < 2.6.0
Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Access with Incorrect Length Value
7.0
HIGH
CVE-2021-3510
all versions
Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a
7.5
HIGH
CVE-2021-3436
all versions
BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr v
4.3
MEDIUM
CVE-2021-3319
>= 2.4.0 and < 2.5.0
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Zephyr versions >= > v2.4.0 contain NULL Pointer Deref
6.5
MEDIUM
CVE-2021-3320
>= 2.0.0 and <= 2.4.0
Type Confusion in 802154 ACK Frames Handling. Zephyr versions >= v2.4.0 contain NULL Pointer Dereference (CWE-476). For more infor
5.9
MEDIUM
CVE-2020-13603
<= 1.14.2
Integer Overflow in memory allocating functions. Zephyr versions >= 1.14.2, >= 2.4.0 contain Integer Overflow or Wraparound (CWE-1
6.9
MEDIUM
CVE-2020-13602
<= 1.14.2
Remote Denial of Service in LwM2M do_write_op_tlv. Zephyr versions >= 1.14.2, >= 2.2.0 contain Improper Input Validation (CWE-20),
4.0
MEDIUM
CVE-2020-13601
<= 1.14.2
Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds Read (CWE-125). For more inform
9.0
CRITICAL
CVE-2020-13600
<= 1.14.2
Malformed SPI in response for eswifi can corrupt kernel memory. Zephyr versions >= 1.14.2, >= 2.3.0 contain Heap-based Buffer Over
7.0
HIGH
CVE-2020-13599
<= 1.14.2
Security problem with settings and littlefs. Zephyr versions >= 1.14.2, >= 2.3.0 contain Incorrect Default Permissions (CWE-276).
3.3
LOW
CVE-2020-13598
<= 1.14.2
FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat. Zephyr versions >= v1.14.2, >= v2.3.0 contain Sta
6.3
MEDIUM
CVE-2020-10072
<= 1.14.2
Improper Handling of Insufficient Permissions or Privileges in zephyr. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Hand
5.9
MEDIUM
CVE-2020-10069
<= 1.14.2
Zephyr Bluetooth unchecked packet data results in denial of service. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handli
4.3
MEDIUM
CVE-2020-10066
<= 1.14.2
Incorrect Error Handling in Bluetooth HCI core. Zephyr versions >= v1.14.2, >= v2.2.0 contain NULL Pointer Dereference (CWE-476).
2.5
LOW
CVE-2020-10065
<= 1.14.2
Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Length Parameter
3.8
LOW
CVE-2020-10064
<= 1.14.2
Improper Input Frame Validation in ieee802154 Processing. Zephyr versions >= v1.14.2, >= v2.2.0 contain Stack-based Buffer Overflo
8.3
HIGH
CVE-2020-10071
<= 2.2.0
The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow an
9.0
CRITICAL
CVE-2020-10070
<= 2.2.0
In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-
9.0
CRITICAL
CVE-2020-10068
< 1.14.0
In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a
5.1
MEDIUM
CVE-2020-10063
<= 2.2.0
A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service. Th
6.8
MEDIUM
CVE-2020-10062
<= 2.2.0
An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code exec
9.0
CRITICAL
CVE-2020-10061
< 1.14.0
Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption. This issue affec
8.1
HIGH
CVE-2020-10067
all versions
A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The i
7.5
HIGH
CVE-2020-10060
>= 2.1.0 and < 2.4.0
In updatehub_probe, right after JSON parsing is complete, objects\[1] is accessed from the output structure in two different place
8.0
HIGH
CVE-2020-10059
all versions
The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware image
4.8
MEDIUM
CVE-2020-10058
all versions
Multiple syscalls in the Kscan subsystem perform insufficient argument validation, allowing code executing in userspace to potenti
7.8
HIGH
CVE-2020-10028
all versions
Multiple syscalls with insufficient argument validation See NCC-ZEP-006 This issue affects: zephyrproject-rtos zephyr version 1.14
7.8
HIGH
CVE-2020-10027
all versions
An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-
7.8
HIGH
CVE-2020-10024
all versions
The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained
7.8
HIGH
CVE-2020-10023
all versions
The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory
6.9
MEDIUM
CVE-2020-10022
all versions
A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could resu
9.0
CRITICAL
CVE-2020-10021
<= 1.14.1
Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026 Thi
8.1
HIGH
CVE-2020-10019
< 1.14.2
USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against the buffer size. This could be
8.1
HIGH
CVE-2017-14202
< 1.14.0
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a se
7.8
HIGH
CVE-2017-14201
< 1.14.0
Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly
7.8
HIGH
CVE-2017-14199
all versions
A buffer overflow has been found in the Zephyr Project's getaddrinfo() implementation in 1.9.0 and 1.10.0.
9.8
CRITICAL
CVE-2018-1000800
all versions
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can
9.8
CRITICAL
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin