Vulnerabilities
This page collects all of the vulnerabilities that are discovered and fixed in each release. It will also often have more details than is available in the releases. Some vulnerabilities are deemed to be sensitive, and will not be publicly discussed until there is sufficient time to fix them. Because the release notes are locked to a version, the information here can be updated after the embargo is lifted.
Vulnerabilities from previous years are collected on separate pages:
CVE-2026
CVE 2026-0849
crypto: ATAES132A response length allows stack buffer overflow
Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
This has been fixed in main for v4.4.0
CVE 2026-1677
net: TLS 1.2 connections allowed on TLS 1.3 sockets
Zephyr sockets created with IPPROTO_TLS_1_3 can still negotiate a TLS 1.2 connection when both
TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated
to mbedTLS (e.g. via mbedtls_ssl_conf_min_tls_version). The ClientHello advertises both versions
and the peer can establish TLS 1.2, so applications that assumed IPPROTO_TLS_1_3 enforces TLS
1.3 may silently use TLS 1.2 and remain exposed to TLS 1.2-specific weaknesses.
This has been fixed in main for v4.4.0
CVE 2026-1678
dns: memory‑safety issue in the DNS name parser
dns_unpack_name() caches the buffer tailroom once and reuses it while appending
DNS labels. As the buffer grows, the cached size becomes incorrect, and the final
null terminator can be written past the buffer. With assertions disabled (default),
a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER
is enabled.
This has been fixed in main for v4.4.0
CVE 2026-1679
The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends overflow eswifi->buf, corrupting kernel memory (CWE-120). Exploit requires local code that can call the socket send API; no remote attacker can reach it directly.
This has been fixed in main for v4.4.0
CVE 2026-1681
net: Stack Overflow with Ping (to own IP Address) via Shell
Issuing an ICMP ping via the net ping shell command to a device’s own IPv4 address causes the
network stack to recursively re-enter the input path on the same system work-queue stack. Because
the destination is recognized as a local address, both the echo request and the resulting echo reply
are processed inline before the current frame returns. The nested input-path frames exceed the
work-queue stack and trigger a stack overflow.
This has been fixed in main for v4.4.0
CVE 2026-4179
stm32: usb: Infinite while loop in Interrupt Handler
Issues in stm32 USB device driver can lead to an infinite while loop.
This has been fixed in main for v4.4.0
CVE 2026-5066
net: sockets: tls: Potential out-of-bounds write/read in socket_op_vtable::connect function
A potential out-of-bounds write/read exists in the TLS socket connect path of the
network sockets subsystem (subsys/net/lib/sockets/sockets_tls.c). When the TLS
session cache is enabled, tls_session_store() and tls_session_restore()
memcpy the caller-supplied address into a fixed-size buffer using the
caller-controlled addrlen value without validating it against the destination
size. Since struct net_sockaddr is an opaque type, an application can pass an
addrlen larger than sizeof(struct net_sockaddr) (for example 128 bytes into
a 24-byte stack buffer), causing the memcpy to read and write past the end of
the address memory used by the TLS session cache. This can lead to a crash and
denial of service, and potentially to arbitrary code execution.
This has been fixed in main for v4.4.0
CVE 2026-5067
Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key
A remote, unauthenticated attacker can trigger memory corruption in Zephyr’s
HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key
header that is copied without guaranteed NUL termination and then passed to
strlen(). This can cause out-of-bounds read and out-of-bounds write on
stack memory, leading to a crash (denial of service) and potentially code
execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is
enabled.
This has been fixed in main for v4.4.0
CVE 2026-5068
Bluetooth: L2CAP LE CoC: remote out-of-bounds write via segmentation counter stored in net_buf user_data
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in
the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application
enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a
user_data_size smaller than 2 bytes, the segmentation counter stored in the
net_buf user_data area is written out of bounds in
l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). This can lead to
heap corruption and a fatal error.
This has been fixed in main for v4.4.0
CVE 2026-5071
can: Local Denial of Service via SocketCAN Send
The SocketCAN send path (zcan_sendto_ctx) validated the caller-supplied buffer
length with a NET_ASSERT instead of a real runtime check. In production builds
where assertions are compiled out, a userspace app could pass a buffer shorter
than struct socketcan_frame, and socketcan_to_can_frame() would dereference
fields past the end of that buffer — an out-of-bounds read that can crash the
system (local DoS) or, because the parsed frame is then transmitted, potentially
leak adjacent memory.
This has been fixed in main for v4.4.0
CVE 2026-5072
net: ptp: Potential Denial of Service via PTP Interval Shift
A bitwise shift vulnerability allows a remote attacker to cause undefined behavior and potential crashes in the PTP subsystem by sending a crafted PTP Management or Delay Response packet containing a large, unvalidated, negative log_announce_interval used in the bitwise shift operation.
This has been fixed in main for v4.4.0
CVE 2026-5589
Bluetooth: Mesh: Out-of-bounds write caused by an integer underflow
An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation
handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write.
When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation
PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled
length byte and computes reported_len - 3 without checking that reported_len is
at least 3. When the value is smaller, the signed subtraction yields a negative number
that bypasses the length guard and is then implicitly converted to a very large
size_t, advancing the buffer pointer far out of bounds so that subsequent reads
dereference invalid memory. A nearby BLE device can trigger this with a non-connectable
advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing
or prior association required, potentially leading to denial of service or arbitrary
code execution.
This has been fixed in main for v4.4.0
CVE 2026-5590
net: ip/tcp: Null pointer dereference can be triggered by a race condition
A race condition during TCP connection teardown can cause tcp_recv() to operate on a connection that has already been released. If tcp_conn_search() returns NULL while processing a SYN packet, a NULL pointer derived from stale context data is passed to tcp_backlog_is_full() and dereferenced without validation, leading to a crash.
This has been fixed in main for v4.4.0
CVE 2026-8718
Under embargo until 2026-08-08
CVE 2026-9263
Under embargo until 2026-06-28