Every CVE whose affected-product data names Zephyrproject Zephyr, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (145)
CVE-2018-1000800 — CVSS 9.8 (critical): zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get() that can result…
CVE-2017-14199 — CVSS 9.8 (critical): A buffer overflow has been found in the Zephyr Project's getaddrinfo() implementation in 1.9.0 and 1.10.0.
CVE-2022-3806 — CVSS 9.8 (critical): Inconsistent handling of error cases in bluetooth hci may lead to a double free condition of a network buffer.
CVE-2023-0397 — CVSS 9.6 (critical): A malicious / defect bluetooth controller can cause a Denial of Service due to unchecked input in le_read_buffer_size_complete.
CVE-2021-3625 — CVSS 9.6 (critical): Buffer overflow in Zephyr USB DFU DNLOAD. Zephyr versions >= v2.5.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see…
CVE-2026-1678 — CVSS 9.4 (critical): dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes…
CVE-2024-11263 — CVSS 9.3 (critical): When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the…
CVE-2020-10071 — CVSS 9.0 (critical): The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and…
CVE-2020-10022 — CVSS 9.0 (critical): A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a…
CVE-2020-10062 — CVSS 9.0 (critical): An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution…
CVE-2020-13601 — CVSS 9.0 (critical): Possible read out of bounds in dns read. Zephyr versions >= 1.14.2, >= 2.3.0 contain Out-of-bounds Read (CWE-125). For more information…
CVE-2020-10070 — CVSS 9.0 (critical): In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031…
CVE-2026-10643 — CVSS 8.7 (high): Zephyr's IP socket recvmsg() implementation (subsys/net/lib/sockets/sockets_inet.c, insert_pktinfo()) validated the user-supplied ancillary…
CVE-2024-10395 — CVSS 8.6 (high): No proper validation of the length of user input in http_server_get_content_type_from_extension.
CVE-2022-2993 — CVSS 8.6 (high): There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all…
CVE-2023-4258 — CVSS 8.6 (high): In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be…
CVE-2023-7060 — CVSS 8.6 (high): Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or…
CVE-2023-4424 — CVSS 8.3 (high): An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or…
CVE-2021-3835 — CVSS 8.2 (high): Buffer overflow in usb device class. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow (CWE-122). For more information, see…
CVE-2025-1674 — CVSS 8.2 (high): A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
CVE-2025-1675 — CVSS 8.2 (high): The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source…
CVE-2024-1638 — CVSS 8.2 (high): The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute…
CVE-2025-1673 — CVSS 8.2 (high): A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an…
CVE-2022-2741 — CVSS 8.2 (high): The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The…
CVE-2022-1042 — CVSS 8.2 (high): In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
CVE-2022-1041 — CVSS 8.2 (high): In Zephyr bluetooth mesh core stack, an out-of-bound write vulnerability can be triggered during provisioning.
CVE-2021-3861 — CVSS 8.2 (high): The RNDIS USB device class includes a buffer overflow vulnerability. Zephyr versions >= v2.6.0 contain Heap-based Buffer Overflow…
CVE-2020-10019 — CVSS 8.1 (high): USB DFU has a potential buffer overflow where the requested length (wLength) is not checked against the buffer size. This could be used by…
CVE-2020-10021 — CVSS 8.1 (high): Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026 This issue…
CVE-2026-7656 — CVSS 8.1 (high): The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect…
CVE-2020-10061 — CVSS 8.1 (high): Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption. This issue affects…
CVE-2020-10060 — CVSS 8.0 (high): In updatehub_probe, right after JSON parsing is complete, objects\[1] is accessed from the output structure in two different places. If the…
CVE-2020-10058 — CVSS 7.8 (high): Multiple syscalls in the Kscan subsystem perform insufficient argument validation, allowing code executing in userspace to potentially gain…
CVE-2017-14201 — CVSS 7.8 (high): Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote…
CVE-2017-14202 — CVSS 7.8 (high): Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or…
CVE-2020-10028 — CVSS 7.8 (high): Multiple syscalls with insufficient argument validation See NCC-ZEP-006 This issue affects: zephyrproject-rtos zephyr version 1.14.0 and…
CVE-2020-10027 — CVSS 7.8 (high): An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This…
CVE-2020-10024 — CVSS 7.8 (high): The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code…
CVE-2025-7403 — CVSS 7.6 (high): Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are…
CVE-2026-13351 — CVSS 7.5 (high): Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously…
CVE-2024-8798 — CVSS 7.5 (high): No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
CVE-2026-8023 — CVSS 7.5 (high): Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when…
CVE-2021-3510 — CVSS 7.5 (high): Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a…
CVE-2021-3321 — CVSS 7.5 (high): Integer Underflow in Zephyr in IEEE 802154 Fragment Reassembly Header Removal. Zephyr versions >= >=2.4.0 contain Integer Overflow to…
CVE-2020-10067 — CVSS 7.5 (high): A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The impact…
CVE-2026-10646 — CVSS 7.4 (high): Zephyr's BSD-sockets getaddrinfo() implementation (subsys/net/lib/sockets/getaddrinfo.c) passes a pointer to a stack-allocated state object…
CVE-2026-1679 — CVSS 7.3 (high): The eswifi socket offload driver copies user-provided payloads into a fixed buffer without checking available space; oversized sends…
CVE-2022-1841 — CVSS 7.2 (high): In subsys/net/ip/tcp.c , function tcp_flags , when the incoming parameter flags is ECN or CWR , the buf will out-of-bounds write a byte…
CVE-2026-10641 — CVSS 7.1 (high): Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an…
CVE-2021-3330 — CVSS 7.1 (high): RCE/DOS: Linked-list corruption leading to large out-of-bounds write while sorting for forged fragment list in Zephyr. Zephyr versions >=…
CVE-2025-10456 — CVSS 7.1 (high): A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker…
CVE-2023-4259 — CVSS 7.1 (high): Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code.
CVE-2026-10651 — CVSS 7.1 (high): A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c…
CVE-2026-10658 — CVSS 7.1 (high): A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv()…
CVE-2023-5563 — CVSS 7.1 (high): The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECO…
CVE-2023-5184 — CVSS 7.0 (high): Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers.
CVE-2020-13600 — CVSS 7.0 (high): Malformed SPI in response for eswifi can corrupt kernel memory. Zephyr versions >= 1.14.2, >= 2.3.0 contain Heap-based Buffer Overflow…
CVE-2021-3581 — CVSS 7.0 (high): Buffer Access with Incorrect Length Value in zephyr. Zephyr versions >= >=2.5.0 contain Buffer Access with Incorrect Length Value…
CVE-2020-10023 — CVSS 6.9 (medium): The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory…
CVE-2025-20696 — CVSS 6.8 (medium): In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an…
CVE-2023-2234 — CVSS 6.8 (medium): Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host.
CVE-2020-10063 — CVSS 6.8 (medium): A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service. This issue…
CVE-2023-0396 — CVSS 6.8 (medium): A malicious / defective bluetooth controller can cause buffer overreads in the most functions that process HCI command responses.
CVE-2025-20747 — CVSS 6.7 (medium): In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege…
CVE-2023-0779 — CVSS 6.7 (medium): At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory layout…
CVE-2025-20746 — CVSS 6.7 (medium): In gnss service, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege…
CVE-2026-9263 — CVSS 6.5 (medium): The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a…
CVE-2021-3322 — CVSS 6.5 (medium): Unexpected Pointer Aliasing in IEEE 802154 Fragment Reassembly in Zephyr. Zephyr versions >= >=2.4.0 contain NULL Pointer Dereference…
CVE-2021-3430 — CVSS 6.5 (medium): Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. Zephyr versions >= v1.14 contain Reachable Assertion (CWE-617). For more…
CVE-2022-0553 — CVSS 6.5 (medium): There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unencrypted…
CVE-2024-3332 — CVSS 6.5 (medium): A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device
CVE-2026-10593 — CVSS 6.5 (medium): The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In…
CVE-2026-10642 — CVSS 6.5 (medium): The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly…
CVE-2026-10655 — CVSS 6.5 (medium): The asynchronous SNTP client in Zephyr (subsys/net/lib/sntp/sntp.c, sntp_close_async) closed the UDP socket file descriptor directly from…
CVE-2023-4265 — CVSS 6.4 (medium): Potential buffer overflow vulnerabilities in the following locations: https://github.com/zephyrproject-rtos/zephyr/blob/main/drivers/usb/dev…
CVE-2026-10653 — CVSS 6.4 (medium): The Zephyr net_buf library (lib/net_buf/buf.c) manipulated both of its reference counts -- the per-header buf->ref and the per-data-block…
CVE-2020-13598 — CVSS 6.3 (medium): FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat. Zephyr versions >= v1.14.2, >= v2.3.0 contain Stack-based…
CVE-2026-10635 — CVSS 6.3 (medium): On Xtensa targets with CONFIG_USERSPACE and CONFIG_XTENSA_MMU, the page-table code (arch/xtensa/core/ptables.c) maintains a global list…
CVE-2024-6444 — CVSS 6.3 (medium): No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
CVE-2024-6442 — CVSS 6.3 (medium): In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecked tailroom could lead to a global buffer overflow.
CVE-2023-5753 — CVSS 6.3 (medium): Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
CVE-2024-6443 — CVSS 6.3 (medium): In utf8_trunc in zephyr/lib/utils/utf8.c, last_byte_p can point to one byte before the string pointer if the string is empty.
CVE-2026-10648 — CVSS 6.2 (medium): mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc()…
CVE-2026-4179 — CVSS 6.1 (medium): Issues in stm32 USB device driver (drivers/usb/device/usb_dc_stm32.c) can lead to an infinite while loop.
CVE-2026-10637 — CVSS 5.9 (medium): subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per…
CVE-2021-3320 — CVSS 5.9 (medium): Type Confusion in 802154 ACK Frames Handling. Zephyr versions >= v2.4.0 contain NULL Pointer Dereference (CWE-476). For more information…
CVE-2023-1902 — CVSS 5.9 (medium): The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a…
CVE-2023-1901 — CVSS 5.9 (medium): The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a…
CVE-2020-10072 — CVSS 5.9 (medium): Improper Handling of Insufficient Permissions or Privileges in zephyr. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of…
CVE-2026-10638 — CVSS 5.9 (medium): subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In…
CVE-2026-10647 — CVSS 5.3 (medium): The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet…
CVE-2020-10068 — CVSS 5.1 (medium): In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a denial…
CVE-2021-3434 — CVSS 4.9 (medium): Stack based buffer overflow in le_ecred_conn_req(). Zephyr versions >= v2.5.0 Stack-based Buffer Overflow (CWE-121). For more information…
CVE-2026-10645 — CVSS 4.9 (medium): Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing…
CVE-2026-10652 — CVSS 4.8 (medium): Zephyr's DNS resolver (subsys/net/lib/dns) parses resource records from DNS responses in dns_unpack_answer(), which validated only the…
CVE-2026-10634 — CVSS 4.8 (medium): Zephyr's native TCP stack iterates the global connection list in net_tcp_foreach() (subsys/net/ip/tcp.c) using the SYS_SLIST_FOR_EACH_CONTAI…
CVE-2026-10639 — CVSS 4.8 (medium): In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to…
CVE-2020-10059 — CVSS 4.8 (medium): The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images…
CVE-2026-20435 — CVSS 4.6 (medium): In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure…
CVE-2023-5139 — CVSS 4.4 (medium): Potential buffer overflow vulnerability at the following location in the Zephyr STM32 Crypto driver
CVE-2020-10069 — CVSS 4.3 (medium): Zephyr Bluetooth unchecked packet data results in denial of service. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of…
CVE-2021-3431 — CVSS 4.3 (medium): Assertion reachable with repeated LL_FEATURE_REQ. Zephyr versions >= v2.5.0 contain Reachable Assertion (CWE-617). For more information…
CVE-2021-3455 — CVSS 4.3 (medium): Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free…
CVE-2021-3432 — CVSS 4.3 (medium): Invalid interval in CONNECT_IND leads to Division by Zero. Zephyr versions >= v1.14.0 Divide By Zero (CWE-369). For more information, see…
CVE-2025-10457 — CVSS 4.3 (medium): The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device…
CVE-2021-3436 — CVSS 4.3 (medium): BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions…
CVE-2026-10644 — CVSS 4.2 (medium): The Microchip SERCOM-G1 UART driver (drivers/serial/uart_mchp_sercom_g1.c), used by the PIC32CM-JH SoC family, contains an out-of-bounds…
CVE-2020-13602 — CVSS 4.0 (medium): Remote Denial of Service in LwM2M do_write_op_tlv. Zephyr versions >= 1.14.2, >= 2.2.0 contain Improper Input Validation (CWE-20), Loop…
CVE-2021-3433 — CVSS 4.0 (medium): Invalid channel map in CONNECT_IND results to Deadlock. Zephyr versions >= v2.5.0 Improper Check or Handling of Exceptional Conditions…
CVE-2021-3435 — CVSS 4.0 (medium): Information leakage in le_ecred_conn_req(). Zephyr versions >= v2.4.0 Use of Uninitialized Resource (CWE-908). For more information, see…
CVE-2020-10065 — CVSS 3.8 (low): Missing Size Checks in Bluetooth HCI over SPI. Zephyr versions >= v1.14.2, >= v2.2.0 contain Improper Handling of Length Parameter…
CVE-2026-0849 — CVSS 3.8 (low): Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a…
CVE-2026-10636 — CVSS 3.7 (low): In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via…
CVE-2020-13599 — CVSS 3.3 (low): Security problem with settings and littlefs. Zephyr versions >= 1.14.2, >= 2.3.0 contain Incorrect Default Permissions (CWE-276). For more…
CVE-2026-10654 — CVSS 3.1 (low): A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous…
CVE-2020-10066 — CVSS 2.5 (low): Incorrect Error Handling in Bluetooth HCI core. Zephyr versions >= v1.14.2, >= v2.2.0 contain NULL Pointer Dereference (CWE-476). For more…