.. _vulnerabilities_2023: CVE-2023 ######## :cve:`2023-0396` ---------------- Buffer Overreads in Bluetooth HCI - `Zephyr project bug tracker GHSA-8rpp-6vxq-pqg3 `_ :cve:`2023-0397` ---------------- DoS: Invalid Initialization in le_read_buffer_size_complete() - `Zephyr project bug tracker GHSA-wc2h-h868-q7hj `_ This has been fixed in main for v3.3.0 - `PR 54905 fix for main `_ - `PR 47957 fix for v3.2.0 `_ - `PR 47958 fix for v3.1.0 `_ - `PR 47959 fix for v2.7.4 `_ :cve:`2023-0779` ---------------- net: shell: Improper input validation - `Zephyr project bug tracker GHSA-9xj8-6989-r549 `_ This has been fixed in main for v3.3.0 - `PR 54371 fix for main `_ - `PR 54380 fix for v3.2.0 `_ - `PR 54381 fix for v2.7.4 `_ :cve:`2023-1901` ---------------- HCI send_sync Dangling Semaphore Reference Re-use - `Zephyr project bug tracker GHSA-xvvm-8mcm-9cq3 `_ This has been fixed in main for v3.4.0 - `PR 56709 fix for main `_ :cve:`2023-1902` ---------------- HCI Connection Creation Dangling State Reference Re-use - `Zephyr project bug tracker GHSA-fx9g-8fr2-q899 `_ This has been fixed in main for v3.4.0 - `PR 56709 fix for main `_ :cve:`2023-3725` ---------------- Potential buffer overflow vulnerability in the Zephyr CANbus subsystem. - `Zephyr project bug tracker GHSA-2g3m-p6c7-8rr3 `_ This has been fixed in main for v3.5.0 - `PR 61502 fix for main `_ - `PR 61518 fix for 3.4 `_ - `PR 61517 fix for 3.3 `_ - `PR 61516 fix for 2.7 `_ :cve:`2023-4257` ---------------- Unchecked user input length in the Zephyr WiFi shell module can cause buffer overflows. - `Zephyr project bug tracker GHSA-853q-q69w-gf5j `_ This has been fixed in main for v3.5.0 - `PR 605377 fix for main `_ - `PR 61383 fix for 3.4 `_ :cve:`2023-4258` ---------------- bt: mesh: vulnerability in provisioning protocol implementation on provisionee side - `Zephyr project bug tracker GHSA-m34c-cp63-rwh7 `_ This has been fixed in main for v3.5.0 - `PR 59467 fix for main `_ - `PR 60078 fix for 3.4 `_ - `PR 60079 fix for 3.3 `_ :cve:`2023-4259` ---------------- Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver - `Zephyr project bug tracker GHSA-gghm-c696-f4j4 `_ This has been fixed in main for v3.5.0 - `PR 63074 fix for main `_ - `PR 63750 fix for main `_ :cve:`2023-4260` ---------------- Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem - `Zephyr project bug tracker GHSA-gj27-862r-55wh `_ This has been fixed in main for v3.5.0 - `PR 63079 fix for main `_ :cve:`2023-4262` ---------------- - This issue has been determined to be a false positive after further analysis. :cve:`2023-4263` ---------------- Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver. - `Zephyr project bug tracker GHSA-rf6q-rhhp-pqhf `_ This has been fixed in main for v3.5.0 - `PR 60528 fix for main `_ - `PR 61384 fix for 3.4 `_ - `PR 61216 fix for 2.7 `_ :cve:`2023-4264` ---------------- Potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem - `Zephyr project bug tracker GHSA-rgx6-3w4j-gf5j `_ This has been fixed in main for v3.5.0 - `PR 58834 fix for main `_ - `PR 60465 fix for main `_ - `PR 61845 fix for main `_ - `PR 61385 fix for 3.4 `_ :cve:`2023-4265` ---------------- Two potential buffer overflow vulnerabilities in Zephyr USB code - `Zephyr project bug tracker GHSA-4vgv-5r6q-r6xh `_ This has been fixed in main for v3.4.0 - `PR 59157 fix for main `_ - `PR 59018 fix for main `_ :cve:`2023-4424` ---------------- bt: hci: DoS and possible RCE - `Zephyr project bug tracker GHSA-j4qm-xgpf-qjw3 `_ This has been fixed in main for v3.5.0 - `PR 61651 fix for main `_ - `PR 61696 fix for 3.4 `_ - `PR 61695 fix for 3.3 `_ - `PR 61694 fix for 2.7 `_ :cve:`2023-5055` ---------------- L2CAP: Possible Stack based buffer overflow in le_ecred_reconf_req() - `Zephyr project bug tracker GHSA-wr8r-7f8x-24jj `_ This has been fixed in main for v3.5.0 - `PR 62381 fix for main `_ :cve:`2023-5139` ---------------- Potential buffer overflow vulnerability in the Zephyr STM32 Crypto driver. - `Zephyr project bug tracker GHSA-rhrc-pcxp-4453 `_ This has been fixed in main for v3.5.0 - `PR 61839 fix for main `_ :cve:`2023-5184` ---------------- Potential signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver - `Zephyr project bug tracker GHSA-8x3p-q3r5-xh9g `_ This has been fixed in main for v3.5.0 - `PR 63069 fix for main `_ :cve:`2023-5563` ---------------- The SJA1000 CAN controller driver backend automatically attempts to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception. - `Zephyr project bug tracker GHSA-98mc-rj7w-7rpv `_ This has been fixed in main for v3.5.0 - `PR 63713 fix for main `_ - `PR 63718 fix for 3.4 `_ - `PR 63717 fix for 3.3 `_ :cve:`2023-5753` ---------------- Potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem source code when asserts are disabled. - `Zephyr project bug tracker GHSA-hmpr-px56-rvww `_ This has been fixed in main for v3.5.0 - `PR 63605 fix for main `_ :cve:`2023-5779` ---------------- Out of bounds issue in remove_rx_filter in multiple can drivers. - `Zephyr project bug tracker GHSA-7cmj-963q-jj47 `_ This has been fixed in main for v3.6.0 - `PR 64399 fix for main `_ - `PR 64416 fix for 3.5 `_ - `PR 64415 fix for 3.4 `_ - `PR 64427 fix for 3.3 `_ - `PR 64431 fix for 2.7 `_ :cve:`2023-6249` ---------------- Signed to unsigned conversion problem in esp32_ipm_send may lead to buffer overflow - `Zephyr project bug tracker GHSA-32f5-3p9h-2rqc `_ This has been fixed in main for v3.6.0 - `PR 65546 fix for main `_ :cve:`2023-6749` ---------------- Potential buffer overflow due unchecked data coming from user input in settings shell. - `Zephyr project bug tracker GHSA-757h-rw37-66hw `_ This has been fixed in main for v3.6.0 - `PR 66451 fix for main `_ - `PR 66584 fix for 3.5 `_ :cve:`2023-6881` ---------------- Potential buffer overflow vulnerability in Zephyr fuse file system. - `Zephyr project bug tracker GHSA-mh67-4h3q-p437 `_ This has been fixed in main for v3.6.0 - `PR 66592 fix for main `_ :cve:`2023-7060` ---------------- Missing Security Control in Zephyr OS IP Packet Handling - `Zephyr project bug tracker GHSA-fjc8-223c-qgqr `_ This has been fixed in main for v3.6.0 - `PR 66645 fix for main `_ - `PR 66739 fix for 3.5 `_ - `PR 66738 fix for 3.4 `_ - `PR 66887 fix for 2.7 `_