CVE-2021-3436
CVE-2021-3436 is a medium-severity vulnerability in Zephyrproject Zephyr with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-694.
Key facts
- Severity: Medium (CVSS 3.x base score 4.3)
- CVSS v2: 6.4
- EPSS exploit prediction: 1% (57th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-694
- Affected product: Zephyrproject Zephyr
- Published:
- Last modified:
Description
BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63
Frequently asked questions
- What is CVE-2021-3436?
- BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63
- How severe is CVE-2021-3436?
- CVE-2021-3436 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability low.
- Is CVE-2021-3436 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (57th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-3436?
- CVE-2021-3436 primarily affects Zephyrproject Zephyr. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-3436?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-3436 published?
- CVE-2021-3436 was published on 2021-10-05 and last updated on 2026-06-17.
References
Affected products (3)
- cpe:2.3:o:zephyrproject:zephyr:1.14.2:*:*:*:*:*:*:*
- cpe:2.3:o:zephyrproject:zephyr:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:o:zephyrproject:zephyr:2.5.0:*:*:*:*:*:*:*
More vulnerabilities in Zephyrproject Zephyr
- CVE-2026-5067 — Critical (CVSS 9.8): A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by…
- CVE-2022-3806 — Critical (CVSS 9.8): Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
- CVE-2017-14199 — Critical (CVSS 9.8): A buffer overflow has been found in the Zephyr Project's getaddrinfo() implementation in 1.9.0 and 1.10.0.
- CVE-2018-1000800 — Critical (CVSS 9.8): zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(),…
- CVE-2021-3329 — Critical (CVSS 9.6): Lack of proper validation in HCI Host stack initialization can cause a crash of the bluetooth stack
- CVE-2023-0397 — Critical (CVSS 9.6): A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in…
All CVEs affecting Zephyrproject Zephyr →
Other CWE-694 vulnerabilities
- CVE-2025-13609 — High (CVSS 8.2): A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using…
- CVE-2025-59048 — High (CVSS 8.1): OpenBao's AWS Plugin generates AWS access credentials based on IAM policies. Prior to version 0.1.1, the AWS Plugin is…
- CVE-2023-20100 — Medium (CVSS 6.8): A vulnerability in the access point (AP) joining process of the Control and Provisioning of Wireless Access Points…
- CVE-2026-5794 — Medium (CVSS 4.9): A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by…
- CVE-2024-41146 — Medium (CVSS 4.6): Use of Multiple Resources with Duplicate Identifier (CWE-694) in the Controller 6000 and Controller 7000 Platforms…