PatchSiren

zephyrproject-rtos CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH zephyrproject-rtos CVE published 2026-06-23

CVE-2026-10658

CVE-2026-10658 is a high-severity vulnerability in the Zephyr Bluetooth Host ISO receive path. A missing length validation can be triggered by malformed HCI ISO data, leading to a kernel assert (denial of service) in assert-enabled builds and potential out-of-bounds read behavior in non-assert builds. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled. This vulnerability has a [truncated]

HIGH zephyrproject-rtos CVE published 2026-06-23

CVE-2026-10651

CVE-2026-10651 is a denial of service vulnerability in Zephyr's Bluetooth Classic SDP parser. A malformed SDP attribute can trigger a reachable assertion, leading to a kernel panic in assert-enabled builds. In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior. The vulnerability has a CVSS score of 7.1 an [truncated]

MEDIUM zephyrproject-rtos CVE published 2026-06-23

CVE-2026-10645

CVE-2026-10645 is a medium-severity vulnerability in Zephyr's ext2 directory-entry parser. The issue arises from a lack of full validation of on-disk directory entry structures before copying entry names and advancing traversal states. This can lead to out-of-bounds reads or infinite loops when processing crafted ext2 images. The vulnerability is primarily a denial-of-service (DoS) issue but can also resu [truncated]

HIGH zephyrproject-rtos CVE published 2026-06-09

CVE-2026-5068

CVE-2026-5068 is a HIGH severity vulnerability with a CVSS score of 7.6. A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. This occurs when the application enables segmentation and the chosen RX pool has a user_data_size smaller than 2 bytes. The observed effects are an AddressSanitizer abort and, without ASan, heap corrup [truncated]

CRITICAL zephyrproject-rtos CVE published 2026-06-09

CVE-2026-5067

CVE-2026-5067 is a critical vulnerability in Zephyr's HTTP server WebSocket upgrade path. A remote, unauthenticated attacker can trigger memory corruption by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling, the b [truncated]

MEDIUM zephyrproject-rtos CVE published 2026-06-04

CVE-2026-5066

CVE-2026-5066 is a potential out-of-bounds write/read vulnerability in the TLS socket connect path of the network sockets subsystem. The vulnerability occurs when the TLS session cache is enabled, and the tls_session_store() and tls_session_restore() functions memcpy the caller-supplied address into a fixed-size buffer using the caller-controlled addrlen value without validating it against the destination [truncated]

MEDIUM zephyrproject-rtos CVE published 2026-06-04

CVE-2026-5589

CVE-2026-5589 is a medium-severity vulnerability (CVSS Score: 6.3) caused by an integer underflow in the bt_mesh_sol_recv() function, which handles Bluetooth Mesh solicitation. The vulnerability occurs when the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled and an attacker-controlled length byte (reported_len) is parsed from raw BLE advertising payloads. If reported_len is less than 3, it can lead to an out- [truncated]

MEDIUM zephyrproject-rtos CVE published 2026-05-30

CVE-2026-5071

A medium-severity vulnerability in Zephyr RTOS's SocketCAN implementation allows out-of-bounds memory reads when userspace applications send truncated CAN frames. The flaw exists because buffer length validation relies solely on NET_ASSERT, which is disabled in production builds. An attacker with local access can trigger denial-of-service crashes or leak adjacent memory contents onto the CAN bus.

MEDIUM zephyrproject-rtos CVE published 2026-05-22

CVE-2026-5072

CVE-2026-5072 is a remotely reachable denial-of-service issue in Zephyr's PTP subsystem. A crafted PTP_MSG_MANAGEMENT message can set an unvalidated negative log_announce_interval value, and later processing of a PTP_MSG_ANNOUNCE message can drive an invalid right-shift in timeout calculation. Because the shift amount can exceed the width of the integer type, the behavior is undefined in C and may crash t [truncated]