Zephyrproject: >> Zephyr >> 1.14.2 Security Vulnerabilities
dns_unpack_name() caches the buffer tailroom once and reuses it while appending DNS labels. As the buffer grows, the cached size becomes incorrect, and the final null terminator can be written past the buffer. With assertions disabled (default), a malicious DNS response can trigger an out-of-bounds write when CONFIG_DNS_RESOLVER is enabled.
CVSS Score
9.4
EPSS Score
0.001
Published
2026-03-05
Parameters are not validated or sanitized, and are later used in various internal operations.
CVSS Score
7.6
EPSS Score
0.0
Published
2025-09-19
Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.
CVSS Score
7.6
EPSS Score
0.0
Published
2025-09-19
A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation.
CVSS Score
7.1
EPSS Score
0.0
Published
2025-09-19
The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-09-19
A denial-of-service issue in the dns implemenation could cause an infinite loop.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-06-24
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
CVSS Score
8.2
EPSS Score
0.002
Published
2025-02-25
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.
CVSS Score
8.2
EPSS Score
0.003
Published
2025-02-25
No proper validation of the length of user input in http_server_get_content_type_from_extension.
CVSS Score
8.6
EPSS Score
0.003
Published
2025-02-03
No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-12-16
Page 1