Zephyr Project 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには バッファオーバーフロー、vendor risk memory corruption、vendor risk input validation, and パス処理の欠陥 があり、vendor surface software deployment の利用場面で vendor impact memory corruption、アプリケーションクラッシュ, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-1679 | The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly. | [email protected] | 7.3 | 0.05% | 2026-03-28 | 2026-03-31 |
| CVE-2026-4179 | Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop. | [email protected] | 6.1 | 0.01% | 2026-03-16 | 2026-04-02 |
| CVE-2026-0849 | Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution. | [email protected] | 3.8 | 0.01% | 2026-03-16 | 2026-04-02 |
| CVE-2026-1678 | dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled. | [email protected] | 9.4 | 0.05% | 2026-03-05 | 2026-03-09 |
| CVE-2026-20435 | In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118. | [email protected] | 4.6 | 0.02% | 2026-03-02 | 2026-03-03 |
| CVE-2025-20747 | In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966. | [email protected] | 6.7 | 0.02% | 2025-11-04 | 2025-11-05 |
| CVE-2025-20746 | In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967. | [email protected] | 6.7 | 0.02% | 2025-11-04 | 2025-11-05 |
| CVE-2025-7403 | Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. | [email protected] | 7.6 | 0.01% | 2025-09-19 | 2025-10-29 |
| CVE-2025-10458 | Parameters are not validated or sanitized, and are later used in various internal operations. | [email protected] | 7.6 | 0.01% | 2025-09-19 | 2025-10-29 |
| CVE-2025-10457 | The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. | [email protected] | 4.3 | 0.06% | 2025-09-19 | 2025-10-29 |
| CVE-2025-10456 | A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation. | [email protected] | 7.1 | 0.02% | 2025-09-19 | 2025-10-29 |
| CVE-2025-20696 | In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801. | [email protected] | 6.8 | 0.02% | 2025-08-04 | 2025-08-18 |
| CVE-2025-2962 | A denial-of-service issue in the dns implemenation could cause an infinite loop. | [email protected] | 7.5 | 0.15% | 2025-06-24 | 2025-10-30 |
| CVE-2025-1675 | The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data. | [email protected] | 8.2 | 0.40% | 2025-02-25 | 2025-03-03 |
| CVE-2025-1674 | A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. | [email protected] | 8.2 | 0.29% | 2025-02-25 | 2025-02-28 |
| CVE-2025-1673 | A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation. | [email protected] | 8.2 | 0.40% | 2025-02-25 | 2025-02-28 |
| CVE-2024-10395 | No proper validation of the length of user input in http_server_get_content_type_from_extension. | [email protected] | 8.6 | 0.28% | 2025-02-03 | 2025-10-29 |
| CVE-2024-8798 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | [email protected] | 7.5 | 0.28% | 2024-12-16 | 2025-09-17 |
| CVE-2024-11263 | When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols. | [email protected] | 9.3 | 0.16% | 2024-11-15 | 2025-02-03 |
| CVE-2024-6444 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | [email protected] | 6.3 | 0.05% | 2024-10-04 | 2024-11-13 |