.. _vulnerabilities_2025: CVE-2025 ######## :cve:`2025-1673` ---------------- Out of bounds read when calling crc16_ansi and strlen in dns_validate_msg A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation. - `Zephyr project bug tracker GHSA-jjhx-rrh4-j8mx `_ This has been fixed in main for v4.1.0 - `PR 82072 fix for main `_ - `PR 82289 fix for 4.0 `_ - `PR 82288 fix for 3.7 `_ :cve:`2025-1674` ---------------- Out of bounds read when unpacking DNS answers A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. - `Zephyr project bug tracker GHSA-x975-8pgf-qh66 `_ This has been fixed in main for v4.1.0 - `PR 82072 fix for main `_ - `PR 82289 fix for 4.0 `_ - `PR 82288 fix for 3.7 `_ :cve:`2025-1675` ---------------- Out of bounds read in dns_copy_qname The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data. - `Zephyr project bug tracker GHSA-2m84-5hfw-m8v4 `_ This has been fixed in main for v4.1.0 - `PR 82072 fix for main `_ - `PR 82289 fix for 4.0 `_ - `PR 82288 fix for 3.7 `_ :cve:`2025-2962` ---------------- Infinite loop in dns_copy_qname A denial-of-service issue in the dns implementation could cause an infinite loop. - `Zephyr project bug tracker GHSA-2qp5-c2vq-g2ww `_ This has been fixed in main for v4.2.0 - `PR 87753 fix for main `_ - `PR 87925 fix for 4.1 `_ - `PR 87949 fix for 3.7 `_ :cve:`2025-7403` ---------------- Bluetooth: bt_conn_tx_processor unsafe handling Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. - `Zephyr project bug tracker GHSA-9r46-cqqw-6j2j `_ This has been fixed in main for v4.2.0 - `PR 90975 fix for main `_ :cve:`2025-10456` ----------------- Bluetooth: Semi-Arbitrary ability to make the BLE Target send disconnection requests A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption. - `Zephyr project bug tracker GHSA-hcc8-3qr7-c9m8 `_ This has been fixed in main for v4.2.0 - `PR 93576 fix for main `_ - `PR 100474 fix for 3.7 `_ :cve:`2025-10457` ----------------- Bluetooth: Out-Of-Context le_conn_rsp handling The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. - `Zephyr project bug tracker GHSA-xqj6-vh76-2vv8 `_ This has been fixed in main for v4.2.0 - `PR 94080 fix for main `_ :cve:`2025-10458` ----------------- Bluetooth: le_conn_rsp does not sanitize CID, MTU, MPS values Parameters are not validated or sanitized, and are later used in various internal operations. - `Zephyr project bug tracker GHSA-vmww-237q-2fwp `_ This has been fixed in main for v4.2.0 - `PR 93174 fix for main `_ :cve:`2025-9408` ---------------- Userspace privilege escalation vulnerability on Cortex M System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes. - `Zephyr project bug tracker GHSA-3r6j-5mp3-75wr `_ This has been fixed in main for v4.3.0 - `PR 95101 fix for main `_ - `PR 96850 fix for main `_ - `PR 96014 fix for 4.2 `_ - `PR 97306 fix for 4.2 `_ - `PR 96015 fix for 4.1 `_ - `PR 97305 fix for 4.1 `_ - `PR 96030 fix for 3.7 `_ - `PR 97313 fix for 3.7 `_ :cve:`2025-9557` ---------------- Bluetooth: Mesh: Out-of-Bound Write in gen_prov_cont An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service. - `Zephyr project bug tracker GHSA-r3j3-c5v7-2ppf `_ This has been fixed in main for v4.3.0 - `PR 95061 fix for main `_ - `PR 97518 fix for 4.2 `_ - `PR 97517 fix for 4.1 `_ :cve:`2025-9558` ---------------- Bluetooth: Mesh: Out-of-Bound Write in gen_prov_start There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size. - `Zephyr project bug tracker GHSA-8wvr-688x-68vr `_ This has been fixed in main for v4.3.0 - `PR 95064 fix for main `_ - `PR 97520 fix for 4.2 `_ - `PR 97519 fix for 4.1 `_ :cve:`2025-12035` ----------------- Bluetooth: Integer Overflow in Bluetooth Classic (BR/EDR) L2CAP An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic. - `Zephyr project bug tracker GHSA-p793-3456-h7w3 `_ This has been fixed in main for v4.3.0 - `PR 97370 fix for main `_ :cve:`2025-12890` ----------------- Bluetooth: peripheral: Invalid handling of malformed connection request Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it. - `Zephyr project bug tracker GHSA-8hrf-pfww-83v9 `_ This has been fixed in main for v4.2.0 - `PR 89955 fix for main `_ :cve:`2025-12899` ----------------- net: icmp: Out of bound memory read A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem. - `Zephyr project bug tracker GHSA-c2vg-hj83-c2vg `_ This has been fixed in main for v4.3.0 - `PR 98780 fix for main `_ - `PR 98983 fix for 4.2 `_ - `PR 98984 fix for 4.1 `_ - `PR 98985 fix for 3.7 `_