Zephyrproject-rtos Zephyr
124 CVEs affecting Zephyrproject-rtos Zephyr. Latest disclosed: 2026-06-04. Critical: 11, High: 56.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2021-3329 | Critical | 9.6 | 2023-02-26 | Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack |
CVE-2023-0397 | Critical | 9.6 | 2023-01-19 | A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete. |
CVE-2021-3966 | Critical | 9.6 | 2023-01-11 | usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem. |
CVE-2021-3625 | Critical | 9.6 | 2021-10-05 | Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see https://github.com/… |
CVE-2026-1678 | Critical | 9.4 | 2026-03-05 | dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the fin… |
CVE-2024-11263 | Critical | 9.4 | 2024-11-15 | When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is… |
CVE-2020-13601 | Critical | 9.0 | 2021-05-24 | Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds Read (CWE-125). For more information, see https://github.com… |
CVE-2020-10071 | Critical | 9.0 | 2020-06-05 | The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code exe… |
CVE-2020-10070 | Critical | 9.0 | 2020-06-05 | In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 This issue affects: z… |
CVE-2020-10062 | Critical | 9.0 | 2020-06-05 | An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution. NCC-ZEP-031 This issue… |
CVE-2020-10022 | Critical | 9.0 | 2020-05-11 | A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in… |
CVE-2024-10395 | High | 8.6 | 2025-02-03 | No proper validation of the length of user input in http_server_get_content_type_from_extension. |
CVE-2023-7060 | High | 8.6 | 2024-03-15 | Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination add… |
CVE-2023-4258 | High | 8.6 | 2023-09-25 | In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisio… |
CVE-2022-2993 | High | 8.6 | 2022-12-12 | There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet. |
CVE-2023-5055 | High | 8.3 | 2023-11-21 | Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. |
CVE-2023-4424 | High | 8.3 | 2023-11-21 | An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the vi… |
CVE-2021-3323 | High | 8.3 | 2021-10-12 | Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Zephyr versions >= >=2.4.0 contain Integer Underflow (Wrap or Wraparound) (CWE-191). For more… |
CVE-2020-10064 | High | 8.3 | 2021-05-24 | Improper Input Frame Validation in ieee802154 Processing. Zephyr versions >= v1.14.2, >= v2.2.0 contain Stack-based Buffer Overflow (CWE-121), Heap-based Buffe… |
CVE-2025-9408 | High | 8.2 | 2025-11-11 | System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace proce… |