PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5067 zephyrproject-rtos CVE debrief

CVE-2026-5067 is a critical vulnerability in Zephyr's HTTP server WebSocket upgrade path. A remote, unauthenticated attacker can trigger memory corruption by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling, the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in a crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

Vendor
zephyrproject-rtos
Product
Zephyr
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-09
Advisory published
2026-06-09
Advisory updated
2026-06-09

Who should care

Users of Zephyr's HTTP server with WebSocket support enabled (CONFIG_HTTP_SERVER_WEBSOCKET) should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by a bounded copy of the Sec-WebSocket-Key header into a fixed-size buffer without guaranteeing NUL termination. This can lead to out-of-bounds read and write on stack memory when the input length reaches the buffer size.

Defensive priority

high

Recommended defensive actions

  • Update to a version of Zephyr that includes a fix for this vulnerability.
  • Disable WebSocket support (CONFIG_HTTP_SERVER_WEBSOCKET) if not needed.

Evidence notes

The CVE-2026-5067 vulnerability was published on June 9, 2026, and has a CVSS score of 9.8. The vulnerability is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

Official resources

CVE-2026-5067 was published on [2026-06-09T06:16:53.920Z](https://www.cve.org/CVERecord?id=CVE-2026-5067) and last modified on [2026-06-09T14:16:45.247Z](https://nvd.nist.gov/vuln/detail/CVE-2026-5067).