Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

zephyr — Vulnerabilities & Security Advisories 162

All 162 CVE vulnerabilities found in zephyr, with AI-generated Chinese analysis, references, and POCs.

This page catalogs known Common Weakness Enumerations affecting the Zephyr real-time operating system developed by OpenSynergy and its community contributors. The collection aggregates a comprehensive range of security vulnerabilities identified within the Zephyr codebase, including memory safety issues, privilege escalation flaws, denial of service conditions, and improper input validation errors. These entries cover historical and recent disclosures spanning from the early development phases of the project through the present day, ensuring a complete audit trail of security incidents. Users can utilize this resource to track vendor security advisories for Zephyr, gaining insight into how the maintainers address and patch critical flaws as they emerge. Additionally, the page serves as a detailed reference for understanding specific weakness classes within the context of embedded systems and RTOS environments, helping developers recognize potential risks in their own implementations. By reviewing the vulnerability history of the product, engineering teams and security auditors can better assess the impact of known issues on their specific deployments and prioritize remediation efforts based on severity and exploitability. This structured aggregation facilitates proactive security management by providing a clear view of the threat landscape associated with the Zephyr project, allowing stakeholders to make informed decisions about upgrading to secure versions or implementing necessary mitigations. The data presented here is curated to support transparency and improve overall system resilience across the diverse range of devices and applications that rely on this open-source operating system for their core functionality.

Vendor: zephyrproject-rtos

CVE IDTitleCVSSSeverityPublished
CVE-2026-10667 SMP use-after-free in Zephyr `CONFIG_USERSPACE` dynamic kernel-object tracking, reachable from unprivileged user threads CWE-416 7.8 High2026-07-12
CVE-2026-10668 Host-triggerable control-endpoint wedge (DoS) in Nuvoton NuMaker HSUSBD UDC driver CWE-400 2.4 Low2026-07-12
CVE-2026-10666 Stack buffer overflow in `net_ipaddr_parse()` IPv4 address-with-port parsing in `subsys/net/ip/utils.c` CWE-787 8.1 High2026-07-12
CVE-2026-10665 Heap buffer overflow on WireGuard receive path via unbounded incoming packet length CWE-787 7.4 High2026-07-12
CVE-2026-10663 Use-after-free / double-free of the root USB device in the experimental USB host stack CWE-416 6.1 Medium2026-07-12
CVE-2026-10664 Out-of-bounds write in nRF70 Wi-Fi driver power-save event handler (unbounded TWT flow count) CWE-787 5.0 Medium2026-07-12
CVE-2026-10660 Shared reassembly buffer in Bluetooth BAP Broadcast Assistant enables cross-connection memory corruption CWE-787 6.4 Medium2026-07-11
CVE-2026-10659 NULL pointer dereference in Zephyr Dhara FTL disk driver on flash read error during journal resume CWE-476 4.7 Medium2026-07-07
CVE-2026-10657 Out-of-bounds read in Zephyr DNS resolver mDNS suffix check (memcmp past string NUL) CWE-125 3.7 Low2026-07-05
CVE-2026-10656 NULL-pointer dereference DoS in MAX32 USB device controller transfer-completion handlers CWE-476 4.6 Medium2026-07-05
CVE-2026-10655 Use-after-free race in SNTP async client when closing the socket while the socket service is still polling it CWE-416 6.5 Medium2026-06-30
CVE-2026-10654 RFCOMM session-disconnect race leaks session/L2CAP and denies further RFCOMM service in Zephyr Bluetooth Classic CWE-362 3.1 Low2026-06-30
CVE-2026-10653 Non-atomic `net_buf` reference counts cause double-free / free-list corruption under concurrent unref CWE-415 6.4 Medium2026-06-30
CVE-2026-9263 Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memory into host HCI ISO packets CWE-125 6.5 Medium2026-06-30
CVE-2026-10652 Out-of-bounds read in Zephyr DNS resolver TXT/SRV record parsing (unvalidated `rdlength`) CWE-125 4.8 Medium2026-06-30
CVE-2026-10648 NULL-pointer dereference in MCUmgr serial/console SMP transport on buffer-pool exhaustion CWE-476 6.2 Medium2026-06-29
CVE-2026-8023 Path traversal in Zephyr HTTP server static-filesystem resource handler allows unauthenticated remote arbitrary file read CWE-22 7.5 High2026-06-29
CVE-2026-7656 Broken IPv6 Neighbor Discovery input validation allows spoofed RA/NS/NA acceptance in Zephyr net stack CWE-670 8.1 High2026-06-29
CVE-2026-10647 Deadlock denial of service in USB CDC-NCM device class on TX enqueue failure CWE-833 5.3 Medium2026-06-29
CVE-2026-10593 Remotely triggerable NULL-pointer dereference in Bluetooth LE Audio BAP unicast client QoS-state handling CWE-476 6.5 Medium2026-06-28
CVE-2026-10646 Use-after-return in `zsock_getaddrinfo()` when a timed-out DNS query is retried without cancellation CWE-416 7.4 High2026-06-28
CVE-2026-10644 Out-of-bounds write in Microchip SERCOM-G1 (PIC32CM-JH) async UART RX with 1-byte buffer CWE-787 4.2 Medium2026-06-28
CVE-2026-10643 Out-of-bounds heap write in Zephyr `recvmsg()` ancillary-data path (`insert_pktinfo` undersizes the control-buffer capacity check) CWE-787 8.7 High2026-06-27
CVE-2026-13351 net: Maliciously fragmented IPv6 packets can prevent receiving/processing future incoming packets CWE-772 7.5 High2026-06-25
CVE-2026-10642 Unbounded TX busy-loop DoS in Zephyr PL011 UART driver under CTS hardware flow control CWE-835 6.5 Medium2026-06-24
CVE-2026-10658 Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS 7.1 High2026-06-22
CVE-2026-10651 Bluetooth Classic SDP parser truncation bug in bt_sdp_parse_attribute() leads to reachable assertion and possible out-of-bounds read CWE-20 7.1 High2026-06-22
CVE-2026-10645 fs: ext2: Missing structural validation of directory entries can cause out-of-bounds read and zero-progress directory traversal CWE-125 4.9 Medium2026-06-22
CVE-2026-10641 Out-of-bounds write in Bluetooth HFP Hands-Free CIND indicator parsing (cind_handle_values) CWE-787 7.1 High2026-06-17
CVE-2026-10640 Use-after-free reading `net_pkt` `iface` after send in IPv6 Neighbor Discovery (`ipv6_nbr.c`) CWE-416 4.2 Medium2026-06-16

All 162 known CVE vulnerabilities affecting zephyr with full Chinese analysis, references, and POCs where available.