Lucene search
K

1409 matches found

NVD
NVD
added 3 days ago8 views

CVE-2026-9263

The Zephyr Bluetooth controller ISO Adaptation Layer subsys/bluetooth/controller/llsw/isoal.c fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment sc=0 always carries a 3-byte timeoffset, so its segment-header len must be at least...

6.5CVSS0.00172EPSS
Exploits0References2
NVD
NVD
added 3 days ago8 views

CVE-2026-10653

The Zephyr netbuf library lib/netbuf/buf.c manipulated both of its reference counts -- the per-header buf-ref and the per-data-block refcount at the start of each variable/heap data allocation -- with plain non-atomic C operators buf-ref++, if --buf-ref 0, if --refcount. The API is documented as...

6.4CVSS0.00162EPSS
Exploits0References2
NVD
NVD
added 3 days ago8 views

CVE-2026-10652

Zephyr's DNS resolver subsys/net/lib/dns parses resource records from DNS responses in dnsunpackanswer, which validated only the fixed RR header type, class, TTL, rdlength and accepted any attacker-declared rdlength, including one extending past the end of the received datagram. The TXT and SRV...

4.8CVSS0.00203EPSS
Exploits0References2
NVD
NVD
added 3 days ago8 views

CVE-2026-10654

A race condition in the Zephyr Bluetooth Classic RFCOMM host stack subsys/bluetooth/host/classic/rfcomm.c mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown state BTRFCOMMSTATEDISCONNECTING, DISC sent, RTX timer armed and the connect...

3.1CVSS0.00124EPSS
Exploits0References2
CVE
CVE
added 3 days ago10 views

CVE-2026-10655

Concrete details found: Zephyr’s asynchronous SNTP client (sntp_close_async) can race with the socket service poll thread. Closing the UDP socket descriptor from a different thread (SNTP timeout path) may free and reuse net_context while the poll thread holds a poller node, causing a use-after-fr...

6.5CVSS5.8AI score0.0024EPSS
Exploits0References2
CVE
CVE
added 3 days ago10 views

CVE-2026-9263

The CVE-2026-9263 issue affects Zephyr’s Bluetooth controller ISO Adaptation Layer (ISOAL). It stems from insufficient validation of framed ISO PDU start segments: start segments with sc=0 are required to have a len of at least 3 (PDU_ISO_SEG_TIMEOFFSET_SIZE), but isoal_check_seg_header() accepte...

6.5CVSS6AI score0.00172EPSS
Exploits0References2
CVE
CVE
added 3 days ago5 views

CVE-2026-10652

Summary: Zephyr's DNS resolver (dns_unpack_answer) validates only the fixed RR header and may accept an attacker-declared rdlength that extends past the datagram, enabling an out-of-bounds read in TXT/SRV parsing (dns_validate_record). This can leak stale memory contents to applications and, in s...

4.8CVSS5.8AI score0.00203EPSS
Exploits0References2
NVD
NVD
added 4 days ago9 views

CVE-2026-8023

Zephyr's HTTP server subsys/net/lib/http provides a static-filesystem resource type HTTPRESOURCETYPESTATICFS, available when CONFIGFILESYSTEM is enabled that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled...

7.5CVSS0.00691EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago25 views

CVE-2026-10648 NULL-pointer dereference in MCUmgr serial/console SMP transport on buffer-pool exhaustion

mcumgrserialprocessfrag in subsys/mgmt/mcumgr/transport/src/serialutil.c calls netbufreset on the result of smppacketalloc before checking it for NULL. smppacketalloc uses netbufallocKNOWAIT against the shared MCUmgr packet pool CONFIGMCUMGRTRANSPORTNETBUFCOUNT, default 4, which returns NULL when...

6.2CVSS0.00109EPSS
Exploits1References2
CVE
CVE
added 4 days ago10 views

CVE-2026-8023

CVE-2026-8023 concerns Zephyr’s HTTP server static-filesystem resource handler, where HTTP/1 and HTTP/2 front-ends copied the raw request path into a buffer without removing dot segments. This allowed path traversal to escape the configured web root and read arbitrary files after the filesystem r...

7.5CVSS6AI score0.00691EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago23 views

CVE-2026-8023 Path traversal in Zephyr HTTP server static-filesystem resource handler allows unauthenticated remote arbitrary file read

Zephyr's HTTP server subsys/net/lib/http provides a static-filesystem resource type HTTPRESOURCETYPESTATICFS, available when CONFIGFILESYSTEM is enabled that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled...

7.5CVSS0.00691EPSS
Exploits0References2
CVE
CVE
added 4 days ago8 views

CVE-2026-7656

The CVE affects Zephyr’s IPv6 Neighbor Discovery in subsys/net/ip/ipv6_nbr.c (handle_ra_input/handle_ns_input/handle_na_input). A faulty boolean combining ND validity checks with ICMPv6 code allowed any ND message with code 0 to bypass Hop Limit==255 and multicast/RS/RA validation, enabling forge...

8.1CVSS6AI score0.00232EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago21 views

CVE-2026-7656 Broken IPv6 Neighbor Discovery input validation allows spoofed RA/NS/NA acceptance in Zephyr net stack

The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6nbr.c handlerainput, handlensinput, handlenainput used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator precedence: the form was 'length/hop/source/target checks...

8.1CVSS0.00232EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago26 views

CVE-2026-10647 Deadlock denial of service in USB CDC-NCM device class on TX enqueue failure

The USB CDC-NCM device class subsys/usb/devicenext/class/usbdcdcncm.c ignores the return value of usbdepenqueue in its ethernet transmit callback cdcncmsend. When the enqueue fails, the function still calls ksemtake&data-syncsem, KFOREVER, blocking on a completion semaphore that is only ever...

5.3CVSS0.00134EPSS
Exploits1References2
NVD
NVD
added 5 days ago11 views

CVE-2026-10646

Zephyr's BSD-sockets getaddrinfo implementation subsys/net/lib/sockets/getaddrinfo.c passes a pointer to a stack-allocated state object struct getaddrinfostate aistate as the userdata of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberately set...

7.4CVSS0.00255EPSS
Exploits0References2
NVD
NVD
added 5 days ago9 views

CVE-2026-10593

The Zephyr Bluetooth LE Audio Basic Audio Profile BAP unicast client mishandles peer-supplied ASE state notifications. In unicastclientepqosstate subsys/bluetooth/audio/bapunicastclient.c, the handler writes attacker-controlled QoS fields interval, framing, phy, sdu, rtn, latency, pd through the...

6.5CVSS0.00175EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-10593 Remotely triggerable NULL-pointer dereference in Bluetooth LE Audio BAP unicast client QoS-state handling

The Zephyr Bluetooth LE Audio Basic Audio Profile BAP unicast client mishandles peer-supplied ASE state notifications. In unicastclientepqosstate subsys/bluetooth/audio/bapunicastclient.c, the handler writes attacker-controlled QoS fields interval, framing, phy, sdu, rtn, latency, pd through the...

6.5CVSS0.00175EPSS
Exploits0References2
CVE
CVE
added 5 days ago15 views

CVE-2026-10646

Zephyr's BSD-sockets getaddrinfo() (subsys/net/lib/sockets/getaddrinfo.c) has a use-after-return risk from a stack-allocated ai_state being kept as user_data during a DNS resolver retry. If a semaphore wait times out and the code retries without cancelling the previous query or resetting the sema...

7.4CVSS5.8AI score0.00255EPSS
Exploits0References2
NVD
NVD
added 5 days ago10 views

CVE-2026-10643

Zephyr's IP socket recvmsg implementation subsys/net/lib/sockets/socketsinet.c, insertpktinfo validated the user-supplied ancillary msgcontrol buffer using only the payload length msg-msgcontrollen pktinfolen before writing a full control message consisting of an aligned cmsg header plus the...

8.7CVSS0.00117EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 6 days ago8 views

CVE-2026-10643

Zephyr's IP socket recvmsg implementation subsys/net/lib/sockets/socketsinet.c, insertpktinfo validated the user-supplied ancillary msgcontrol buffer using only the payload length msg-msgcontrollen pktinfolen before writing a full control message consisting of an aligned cmsg header plus the...

8.7CVSS6AI score0.00117EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder