This page lists publicly disclosed CVE vulnerabilities affecting zephyrproject zephyr (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-10635 | On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list, xtensa_domain_list, of active memory domains using a list node embedded inside the caller-owned struct k_mem_domain. When a domain is destroyed via k_mem_domain_deinit() - arch_mem_domain_deinit(), the page tables are torn down and domain-arch.ptables is set to NULL, but the domain's node was not removed from xtensa_domain_list. The freed/deinitialized domain t | [email protected] | 6.3 | 0.16% | 2026-06-16 | 2026-06-17 |
| CVE-2026-1679 | The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow `eswifi->buf`, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly. | [email protected] | 7.3 | 0.21% | 2026-03-27 | 2026-06-17 |
| CVE-2026-4179 | Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop. | [email protected] | 6.1 | 0.18% | 2026-03-16 | 2026-06-17 |
| CVE-2026-0849 | Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution. | [email protected] | 3.8 | 0.24% | 2026-03-16 | 2026-06-17 |
| CVE-2026-1678 | dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled. | [email protected] | 9.4 | 0.38% | 2026-03-05 | 2026-06-17 |
| CVE-2026-20435 | In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS10607099; Issue ID: MSV-6118. | [email protected] | 4.6 | 0.11% | 2026-03-02 | 2026-06-17 |
| CVE-2025-20747 | In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010443; Issue ID: MSV-3966. | [email protected] | 6.7 | 0.07% | 2025-11-04 | 2026-06-17 |
| CVE-2025-20746 | In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10010441; Issue ID: MSV-3967. | [email protected] | 6.7 | 0.07% | 2025-11-04 | 2026-06-17 |
| CVE-2025-7403 | Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. | [email protected] | 7.6 | 0.19% | 2025-09-19 | 2026-06-17 |
| CVE-2025-10458 | Parameters are not validated or sanitized, and are later used in various internal operations. | [email protected] | 7.6 | 0.20% | 2025-09-19 | 2026-06-17 |
| CVE-2025-10457 | The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. | [email protected] | 4.3 | 0.37% | 2025-09-19 | 2026-06-17 |
| CVE-2025-10456 | A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation. | [email protected] | 7.1 | 0.19% | 2025-09-19 | 2026-06-17 |
| CVE-2025-20696 | In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801. | [email protected] | 6.8 | 0.11% | 2025-08-03 | 2026-06-17 |
| CVE-2025-2962 | A denial-of-service issue in the dns implemenation could cause an infinite loop. | [email protected] | 7.5 | 0.48% | 2025-06-24 | 2026-06-17 |
| CVE-2025-1675 | The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data. | [email protected] | 8.2 | 0.40% | 2025-02-25 | 2026-06-17 |
| CVE-2025-1674 | A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. | [email protected] | 8.2 | 0.29% | 2025-02-25 | 2026-06-17 |
| CVE-2025-1673 | A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation. | [email protected] | 8.2 | 0.32% | 2025-02-25 | 2026-06-17 |
| CVE-2024-10395 | No proper validation of the length of user input in http_server_get_content_type_from_extension. | [email protected] | 8.6 | 0.28% | 2025-02-03 | 2026-06-17 |
| CVE-2024-8798 | No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | [email protected] | 7.5 | 0.39% | 2024-12-15 | 2026-06-17 |
| CVE-2024-11263 | When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols. | [email protected] | 9.3 | 0.16% | 2024-11-15 | 2026-06-17 |