.. _vulnerabilities: Vulnerabilities ############### This page collects all of the vulnerabilities that are discovered and fixed in each release. It will also often have more details than is available in the releases. Some vulnerabilities are deemed to be sensitive, and will not be publicly discussed until there is sufficient time to fix them. Because the release notes are locked to a version, the information here can be updated after the embargo is lifted. CVE-2017 ======== CVE-2017-14199 -------------- Buffer overflow in :code:`getaddrinfo()`. - `CVE-2017-14199 `_ - `Zephyr project bug tracker ZEPSEC-12 `_ - `PR6158 fix for 1.11.0 `_ CVE-2017-14201 -------------- The shell DNS command can cause unpredictable results due to misuse of stack variables. Use After Free vulnerability in the Zephyr shell allows a serial or telnet connected user to cause denial of service, and possibly remote code execution. This has been fixed in release v1.14.0. - `CVE-2017-14201 `_ - `Zephyr project bug tracker ZEPSEC-17 `_ - `PR13260 fix for v1.14.0 `_ CVE-2017-14202 -------------- The shell implementation does not protect against buffer overruns resulting in unpredictable behavior. Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the shell component of Zephyr allows a serial or telnet connected user to cause a crash, possibly with arbitrary code execution. This has been fixed in release v1.14.0. - `CVE-2017-14202 `_ - `Zephyr project bug tracker ZEPSEC-18 `_ - `PR13048 fix for v1.14.0 `_ CVE-2019 ======== CVE-2019-9506 ------------- The Bluetooth BR/EDR specification up to and including version 5.1 permits sufficiently low encryption key length and does not prevent an attacker from influencing the key length negotiation. This allows practical brute-force attacks (aka "KNOB") that can decrypt traffic and inject arbitrary ciphertext without the victim noticing. - `CVE-2019-9506 `_ - `Zephyr project bug tracker ZEPSEC-20 `_ - `PR18702 fix for v1.14.0 `_ - `PR18659 fix for v2.0.0 `_ CVE-2020 ======== CVE-2020-10019 -------------- Buffer Overflow vulnerability in USB DFU of zephyr allows a USB connected host to cause possible remote code execution. This has been fixed in releases v1.14.2, v2.2.0, and v2.1.1. - `CVE-2020-10019 `_ - `Zephyr project bug tracker ZEPSEC-25 `_ - `PR23460 fix for 1.14.x `_ - `PR23457 fix for 2.1.x `_ - `PR23190 fix in 2.2.0 `_ CVE-2020-10021 -------------- Out-of-bounds write in USB Mass Storage with unaligned sizes Out-of-bounds Write in the USB Mass Storage memoryWrite handler with unaligned Sizes. See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026 This has been fixed in releases v1.14.2, and v2.2.0. - `CVE-2020-10021 `_ - `Zephyr project bug tracker ZEPSEC-26 `_ - `PR23455 fix for v1.14.2 `_ - `PR23456 fix for the v2.1 branch `_ - `PR23240 fix for v2.2.0 `_ CVE-2020-10022 -------------- UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array A malformed JSON payload that is received from an UpdateHub server may trigger memory corruption in the Zephyr OS. This could result in a denial of service in the best case, or code execution in the worst case. See NCC-ZEP-016 This has been fixed in the below pull requests for main, branch from v2.1.0, and branch from v2.2.0. - `CVE-2020-10022 `_ - `Zephyr project bug tracker ZEPSEC-28 `_ - `PR24154 fix for main `_ - `PR24065 fix for branch from v2.1.0 `_ - `PR24066 fix for branch from v2.2.0 `_ CVE-2020-10023 -------------- Shell Subsystem Contains a Buffer Overflow Vulnerability In shell_spaces_trim The shell subsystem contains a buffer overflow, whereby an adversary with physical access to the device is able to cause a memory corruption, resulting in denial of service or possibly code execution within the Zephyr kernel. See NCC-ZEP-019 This has been fixed in releases v1.14.2, v2.2.0, and in a branch from v2.1.0, - `CVE-2020-10023 `_ - `Zephyr project bug tracker ZEPSEC-29 `_ - `PR23646 fix for v1.14.2 `_ - `PR23649 fix for branch from v2.1.0 `_ - `PR23304 fix for v2.2.0 `_ CVE-2020-10024 -------------- ARM Platform Uses Signed Integer Comparison When Validating Syscall Numbers The arm platform-specific code uses a signed integer comparison when validating system call numbers. An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0, - `CVE-2020-10024 `_ - `Zephyr project bug tracker ZEPSEC-30 `_ - `PR23535 fix for v1.14.2 `_ - `PR23498 fix for branch from v2.1.0 `_ - `PR23323 fix for v2.2.0 `_ CVE-2020-10027 -------------- ARC Platform Uses Signed Integer Comparison When Validating Syscall Numbers An attacker who has obtained code execution within a user thread is able to elevate privileges to that of the kernel. See NCC-ZEP-001 This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0. - `CVE-2020-10027 `_ - `Zephyr project bug tracker ZEPSEC-35 `_ - `PR23500 fix for v1.14.2 `_ - `PR23499 fix for branch from v2.1.0 `_ - `PR23328 fix for v2.2.0 `_ CVE-2020-10028 -------------- Multiple Syscalls In GPIO Subsystem Performs No Argument Validation Multiple syscalls with insufficient argument validation See NCC-ZEP-006 This has been fixed in releases v1.14.2, and v2.2.0, and in a branch from v2.1.0. - `CVE-2020-10028 `_ - `Zephyr project bug tracker ZEPSEC-32 `_ - `PR23733 fix for v1.14.2 `_ - `PR23737 fix for branch from v2.1.0 `_ - `PR23308 fix for v2.2.0 (gpio patch) `_ CVE-2020-10058 -------------- Multiple Syscalls In kscan Subsystem Performs No Argument Validation Multiple syscalls in the Kscan subsystem perform insufficient argument validation, allowing code executing in userspace to potentially gain elevated privileges. See NCC-ZEP-006 This has been fixed in a branch from v2.1.0, and release v2.2.0. - `CVE-2020-10058 `_ - `Zephyr project bug tracker ZEPSEC-34 `_ - `PR23748 fix for branch from v2.1.0 `_ - `PR23308 fix for v2.2.0 (kscan patch) `_ CVE-2020-10059 -------------- UpdateHub Module Explicitly Disables TLS Verification The UpdateHub module disables DTLS peer checking, which allows for a man in the middle attack. This is mitigated by firmware images requiring valid signatures. However, there is no benefit to using DTLS without the peer checking. See NCC-ZEP-018 This has been fixed in a PR against Zephyr main. - `CVE-2020-10059 `_ - `Zephyr project bug tracker ZEPSEC-36 `_ - `PR24954 fix on main (to be fixed in v2.3.0) `_ - `PR24954 fix v2.1.0 `_ - `PR24954 fix v2.2.0 `_ CVE-2020-10060 -------------- UpdateHub Might Dereference An Uninitialized Pointer In updatehub_probe, right after JSON parsing is complete, objects\[1] is accessed from the output structure in two different places. If the JSON contained less than two elements, this access would reference uninitialized stack memory. This could result in a crash, denial of service, or possibly an information leak. Recommend disabling updatehub until such a time as a fix can be made available. See NCC-ZEP-030 This has been fixed in a PR against Zephyr main. - `CVE-2020-10060 `_ - `Zephyr project bug tracker ZEPSEC-37 `_ - `PR27865 fix on main (to be fixed in v2.4.0) `_ - `PR27865 fix for v2.3.0 `_ - `PR27865 fix for v2.2.0 `_ - `PR27865 fix for v2.1.0 `_ CVE-2020-10061 -------------- Error handling invalid packet sequence Improper handling of the full-buffer case in the Zephyr Bluetooth implementation can result in memory corruption. This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0. - `CVE-2020-10061 `_ - `Zephyr project bug tracker ZEPSEC-75 `_ - `PR23516 fix for v2.3 (split driver) `_ - `PR23517 fix for v2.3 (legacy driver) `_ - `PR23091 fix for branch from v1.14.0 `_ - `PR23547 fix for branch from v2.2.0 `_ CVE-2020-10062 -------------- Packet length decoding error in MQTT CVE: An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution. NCC-ZEP-031 The MQTT packet header length can be 1 to 4 bytes. An off-by-one error in the code can result in this being interpreted as 5 bytes, which can cause an integer overflow, resulting in memory corruption. This has been fixed in main for v2.3. - `CVE-2020-10062 `_ - `Zephyr project bug tracker ZEPSEC-84 `_ - `commit 11b7a37d for v2.3 `_ - `NCC-ZEP report`_ (NCC-ZEP-031) .. _NCC-ZEP report: https://research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment CVE-2020-10063 -------------- Remote Denial of Service in CoAP Option Parsing Due To Integer Overflow A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service. This has been fixed in main for v2.3. - `CVE-2020-10063 `_ - `Zephyr project bug tracker ZEPSEC-55 `_ - `PR24435 fix in main for v2.3 `_ - `PR24531 fix for branch from v2.2 `_ - `PR24535 fix for branch from v2.1 `_ - `PR24530 fix for branch from v1.14 `_ - `NCC-ZEP report`_ (NCC-ZEP-032) CVE-2020-10064 -------------- Improper Input Frame Validation in ieee802154 Processing - `CVE-2020-10064 `_ - `Zephyr project bug tracker ZEPSEC-65 `_ - `PR24971 fix for v2.4 `_ - `PR33451 fix for v1.4 `_ CVE-2020-10065 -------------- OOB Write after not validating user-supplied length (<= 0xffff) and copying to fixed-size buffer (default: 77 bytes) for HCI_ACL packets in bluetooth HCI over SPI driver. - `CVE-2020-10065 `_ - `Zephyr project bug tracker ZEPSEC-66 `_ - This issue has not been fixed. CVE-2020-10066 -------------- Incorrect Error Handling in Bluetooth HCI core In hci_cmd_done, the buf argument being passed as null causes nullpointer dereference. - `CVE-2020-10066 `_ - `Zephyr project bug tracker ZEPSEC-67 `_ - `PR24902 fix for v2.4 `_ - `PR25089 fix for v1.4 `_ CVE-2020-10067 -------------- Integer Overflow In is_in_region Allows User Thread To Access Kernel Memory A malicious userspace application can cause a integer overflow and bypass security checks performed by system call handlers. The impact would depend on the underlying system call and can range from denial of service to information leak to memory corruption resulting in code execution within the kernel. See NCC-ZEP-005 This has been fixed in releases v1.14.2, and v2.2.0. - `CVE-2020-10067 `_ - `Zephyr project bug tracker ZEPSEC-27 `_ - `PR23653 fix for v1.14.2 `_ - `PR23654 fix for the v2.1 branch `_ - `PR23239 fix for v2.2.0 `_ CVE-2020-10068 -------------- Zephyr Bluetooth DLE duplicate requests vulnerability In the Zephyr project Bluetooth subsystem, certain duplicate and back-to-back packets can cause incorrect behavior, resulting in a denial of service. This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0. - `CVE-2020-10068 `_ - `Zephyr project bug tracker ZEPSEC-78 `_ - `PR23707 fix for v2.3 (split driver) `_ - `PR23708 fix for v2.3 (legacy driver) `_ - `PR23091 fix for branch from v1.14.0 `_ - `PR23964 fix for v2.2.0 `_ CVE-2020-10069 -------------- Zephyr Bluetooth unchecked packet data results in denial of service An unchecked parameter in bluetooth data can result in an assertion failure, or division by zero, resulting in a denial of service attack. This has been fixed in branches for v1.14.0, v2.2.0, and will be included in v2.3.0. - `CVE-2020-10069 `_ - `Zephyr project bug tracker ZEPSEC-81 `_ - `PR23705 fix for v2.3 (split driver) `_ - `PR23706 fix for v2.3 (legacy driver) `_ - `PR23091 fix for branch from v1.14.0 `_ - `PR23963 fix for branch from v2.2.0 `_ CVE-2020-10070 -------------- MQTT buffer overflow on receive buffer In the Zephyr Project MQTT code, improper bounds checking can result in memory corruption and possibly remote code execution. NCC-ZEP-031 When calculating the packet length, arithmetic overflow can result in accepting a receive buffer larger than the available buffer space, resulting in user data being written beyond this buffer. This has been fixed in main for v2.3. - `CVE-2020-10070 `_ - `Zephyr project bug tracker ZEPSEC-85 `_ - `commit 0b39cbf3 for v2.3 `_ - `NCC-ZEP report`_ (NCC-ZEP-031) CVE-2020-10071 -------------- Insufficient publish message length validation in MQTT The Zephyr MQTT parsing code performs insufficient checking of the length field on publish messages, allowing a buffer overflow and potentially remote code execution. NCC-ZEP-031 This has been fixed in main for v2.3. - `CVE-2020-10071 `_ - `Zephyr project bug tracker ZEPSEC-86 `_ - `commit 989c4713 fix for v2.3 `_ - `NCC-ZEP report`_ (NCC-ZEP-031) CVE-2020-10072 -------------- All threads can access all socket file descriptors There is no management of permissions to network socket API file descriptors. Any thread running on the system may read/write a socket file descriptor knowing only the numerical value of the file descriptor. - `CVE-2020-10072 `_ - `Zephyr project bug tracker ZEPSEC-87 `_ - `PR25804 fix for v2.4 `_ - `PR27176 fix for v1.4 `_ CVE-2020-10136 ------------------- IP-in-IP protocol routes arbitrary traffic by default zephyrproject - `CVE-2020-10136 `_ - `Zephyr project bug tracker ZEPSEC-64 `_ CVE-2020-13598 -------------- FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat Performing fs_stat on a file with a filename longer than 12 characters long will cause a buffer overflow. - `CVE-2020-13598 `_ - `Zephyr project bug tracker ZEPSEC-88 `_ - `PR25852 fix for v2.4 `_ - `PR28782 fix for v2.3 `_ - `PR33577 fix for v1.4 `_ CVE-2020-13599 -------------- Security problem with settings and littlefs When settings is used in combination with littlefs all security related information can be extracted from the device using MCUmgr and this could be used e.g in bt-mesh to get the device key, network key, app keys from the device. - `CVE-2020-13599 `_ - `Zephyr project bug tracker ZEPSEC-57 `_ - `PR26083 fix for v2.4 `_ CVE-2020-13600 ------------------- Malformed SPI in response for eswifi can corrupt kernel memory - `CVE-2020-13600 `_ - `Zephyr project bug tracker ZEPSEC-91 `_ - `PR26712 fix for v2.4 `_ CVE-2020-13601 -------------- Possible read out of bounds in dns read - `CVE-2020-13601 `_ - `Zephyr project bug tracker ZEPSEC-92 `_ - `PR27774 fix for v2.4 `_ - `PR30503 fix for v1.4 `_ CVE-2020-13602 -------------- Remote Denial of Service in LwM2M do_write_op_tlv In the Zephyr LwM2M implementation, malformed input can result in an infinite loop, resulting in a denial of service attack. - `CVE-2020-13602 `_ - `Zephyr project bug tracker ZEPSEC-56 `_ - `PR26571 fix for v2.4 `_ - `PR33578 fix for v1.4 `_ CVE-2020-13603 -------------- Possible overflow in mempool * Zephyr offers pre-built 'malloc' wrapper function instead. * The 'malloc' function is wrapper for the 'sys_mem_pool_alloc' function * sys_mem_pool_alloc allocates 'size + WB_UP(sizeof(struct sys_mem_pool_block))' in an unsafe manner. * Asking for very large size values leads to internal integer wrap-around. * Integer wrap-around leads to successful allocation of very small memory. * For example: calling malloc(0xffffffff) leads to successful allocation of 7 bytes. * That leads to heap overflow. - `CVE-2020-13603 `_ - `Zephyr project bug tracker ZEPSEC-111 `_ - `PR31796 fix for v2.4 `_ - `PR32808 fix for v1.4 `_ CVE-2021 ======== CVE-2021-3319 ------------- DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses Improper processing of omitted source and destination addresses in ieee802154 frame validation (ieee802154_validate_frame) This has been fixed in main for v2.5.0 - `CVE-2020-3319 `_ - `Zephyr project bug tracker GHSA-94jg-2p6q-5364 `_ - `PR31908 fix for main `_ CVE-2021-3320 ------------------- Mismatch between validation and handling of 802154 ACK frames, where ACK frames are considered during validation, but not during actual processing, leading to a type confusion. - `CVE-2020-3320 `_ - `PR31908 fix for main `_ CVE-2021-3321 ------------- Incomplete check of minimum IEEE 802154 fragment size leading to an integer underflow. - `CVE-2020-3321 `_ - `Zephyr project bug tracker ZEPSEC-114 `_ - `PR33453 fix for v2.4 `_ CVE-2021-3323 ------------- Integer Underflow in 6LoWPAN IPHC Header Uncompression This has been fixed in main for v2.5.0 - `CVE-2020-3323 `_ - `Zephyr project bug tracker GHSA-89j6-qpxf-pfpc `_ - `PR 31971 fix for main `_ CVE-2021-3430 ------------- Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. This has been fixed in main for v2.6.0 - `CVE-2021-3430 `_ - `Zephyr project bug tracker GHSA-46h3-hjcq-2jjr `_ - `PR 33272 fix for main `_ - `PR 33369 fix for 2.5 `_ - `PR 33759 fix for 1.14.2 `_ CVE-2021-3431 ------------- BT: Assertion failure on repeated LL_FEATURE_REQ This has been fixed in main for v2.6.0 - `CVE-2021-3431 `_ - `Zephyr project bug tracker GHSA-7548-5m6f-mqv9 `_ - `PR 33340 fix for main `_ - `PR 33369 fix for 2.5 `_ CVE-2021-3432 ------------- Invalid interval in CONNECT_IND leads to Division by Zero This has been fixed in main for v2.6.0 - `CVE-2021-3432 `_ - `Zephyr project bug tracker GHSA-7364-p4wc-8mj4 `_ - `PR 33278 fix for main `_ - `PR 33369 fix for 2.5 `_ CVE-2021-3433 ------------- BT: Invalid channel map in CONNECT_IND results to Deadlock This has been fixed in main for v2.6.0 - `CVE-2021-3433 `_ - `Zephyr project bug tracker GHSA-3c2f-w4v6-qxrp `_ - `PR 33278 fix for main `_ - `PR 33369 fix for 2.5 `_ CVE-2021-3434 ------------- L2CAP: Stack based buffer overflow in le_ecred_conn_req() This has been fixed in main for v2.6.0 - `CVE-2021-3434 `_ - `Zephyr project bug tracker GHSA-8w87-6rfp-cfrm `_ - `PR 33305 fix for main `_ - `PR 33419 fix for 2.5 `_ - `PR 33418 fix for 1.14.2 `_ CVE-2021-3435 ------------- L2CAP: Information leakage in le_ecred_conn_req() This has been fixed in main for v2.6.0 - `CVE-2021-3435 `_ - `Zephyr project bug tracker GHSA-xhg3-gvj6-4rqh `_ - `PR 33305 fix for main `_ - `PR 33419 fix for 2.5 `_ - `PR 33418 fix for 1.14.2 `_ CVE-2021-3436 ------------- Bluetooth: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known During the distribution of the identity address information we don’t check for an existing bond with the same identity address.This means that a duplicate entry will be created in RAM while the newest entry will overwrite the existing one in persistent storage. This has been fixed in main for v2.6.0 - `CVE-2021-3436 `_ - `Zephyr project bug tracker GHSA-j76f-35mc-4h63 `_ - `PR 33266 fix for main `_ - `PR 33432 fix for 2.5 `_ - `PR 33433 fix for 2.4 `_ - `PR 33718 fix for 1.14.2 `_ CVE-2021-3454 ------------- Truncated L2CAP K-frame causes assertion failure For example, sending L2CAP K-frame where SDU length field is truncated to only one byte, causes assertion failure in previous releases of Zephyr. This has been fixed in master by commit 0ba9437 but has not yet been backported to older release branches. This has been fixed in main for v2.6.0 - `CVE-2021-3454 `_ - `Zephyr project bug tracker GHSA-fx88-6c29-vrp3 `_ - `PR 32588 fix for main `_ - `PR 33513 fix for 2.5 `_ - `PR 33514 fix for 2.4 `_ CVE-2021-3455 ------------- Disconnecting L2CAP channel right after invalid ATT request leads freeze When Central device connects to peripheral and creates L2CAP connection for Enhanced ATT, sending some invalid ATT request and disconnecting immediately causes freeze. This has been fixed in main for v2.6.0 - `CVE-2021-3455 `_ - `Zephyr project bug tracker GHSA-7g38-3x9v-v7vp `_ - `PR 35597 fix for main `_ - `PR 36104 fix for 2.5 `_ - `PR 36105 fix for 2.4 `_ CVE-2021-3510 ------------- Zephyr JSON decoder incorrectly decodes array of array When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. arr_parse then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there. This has been fixed in main for v2.7.0 - `CVE-2021-3510 `_ - `Zephyr project bug tracker GHSA-289f-7mw3-2qf4 `_ - `PR 36340 fix for main `_ - `PR 37816 fix for 2.6 `_ CVE-2021-3581 ------------- HCI data not properly checked leads to memory overflow in the Bluetooth stack In the process of setting SCAN_RSP through the HCI command, the Zephyr Bluetooth protocol stack did not effectively check the length of the incoming HCI data. Causes memory overflow, and then the data in the memory is overwritten, and may even cause arbitrary code execution. This has been fixed in main for v2.6.0 - `CVE-2021-3581 `_ - `Zephyr project bug tracker GHSA-8q65-5gqf-fmw5 `_ - `PR 35935 fix for main `_ - `PR 35984 fix for 2.5 `_ - `PR 35985 fix for 2.4 `_ - `PR 35985 fix for 1.14 `_ CVE-2021-3625 ------------- Buffer overflow in Zephyr USB DFU DNLOAD This has been fixed in main for v2.6.0 - `CVE-2021-3625 `_ - `Zephyr project bug tracker GHSA-c3gr-hgvr-f363 `_ - `PR 36694 fix for main `_ CVE-2021-3835 ------------- Buffer overflow in Zephyr USB device class This has been fixed in main for v3.0.0 - `CVE-2021-3835 `_ - `Zephyr project bug tracker GHSA-fm6v-8625-99jf `_ - `PR 42093 fix for main `_ - `PR 42167 fix for 2.7 `_ CVE-2021-3861 ------------- Buffer overflow in the RNDIS USB device class This has been fixed in main for v3.0.0 - `CVE-2021-3861 `_ - `Zephyr project bug tracker GHSA-hvfp-w4h8-gxvj `_ - `PR 39725 fix for main `_ CVE-2021-3966 ------------- Usb bluetooth device ACL read cb buffer overflow This has been fixed in main for v3.0.0 - `Zephyr project bug tracker GHSA-hfxq-3w6x-fv2m `_ - `PR 42093 fix for main `_ - `PR 42167 fix for v2.7.0 `_ CVE-2022 ======== CVE-2022-0553 ------------- Possible to retrieve unencrypted firmware image This has been fixed in main for v3.0.0 - `Zephyr project bug tracker GHSA-wrj2-9vj9-rrcp `_ - `PR 42424 fix for main `_ CVE-2022-1041 -------------- Out-of-bound write vulnerability in the Bluetooth Mesh core stack can be triggered during provisioning This has been fixed in main for v3.1.0 - `Zephyr project bug tracker GHSA-p449-9hv9-pj38 `_ - `PR 45136 fix for main `_ - `PR 45188 fix for v3.0.0 `_ - `PR 45187 fix for v2.7.0 `_ CVE-2022-1042 -------------- Out-of-bound write vulnerability in the Bluetooth Mesh core stack can be triggered during provisioning This has been fixed in main for v3.1.0 - `Zephyr project bug tracker GHSA-j7v7-w73r-mm5x `_ - `PR 45066 fix for main `_ - `PR 45135 fix for v3.0.0 `_ - `PR 45134 fix for v2.7.0 `_ CVE-2022-1841 -------------- Out-of-Bound Write in tcp_flags This has been fixed in main for v3.1.0 - `Zephyr project bug tracker GHSA-5c3j-p8cr-2pgh `_ - `PR 45796 fix for main `_ CVE-2022-2741 -------------- can: denial-of-service can be triggered by a crafted CAN frame This has been fixed in main for v3.2.0 - `Zephyr project bug tracker GHSA-hx5v-j59q-c3j8 `_ - `PR 47903 fix for main `_ - `PR 47957 fix for v3.1.0 `_ - `PR 47958 fix for v3.0.0 `_ - `PR 47959 fix for v2.7.0 `_ CVE-2022-2993 -------------- bt: host: Wrong key validation check This has been fixed in main for v3.2.0 - `Zephyr project bug tracker GHSA-3286-jgjx-8cvr `_ - `PR 48733 fix for main `_ CVE-2022-3806 ------------- DoS: Invalid Initialization in le_read_buffer_size_complete() - `Zephyr project bug tracker GHSA-w525-fm68-ppq3 `_ CVE-2023 ======== CVE-2023-0396 ------------- Buffer Overreads in Bluetooth HCI - `Zephyr project bug tracker GHSA-8rpp-6vxq-pqg3 `_ CVE-2023-0397 ------------- DoS: Invalid Initialization in le_read_buffer_size_complete() - `Zephyr project bug tracker GHSA-wc2h-h868-q7hj `_ This has been fixed in main for v3.3.0 - `PR 54905 fix for main `_ - `PR 47957 fix for v3.2.0 `_ - `PR 47958 fix for v3.1.0 `_ - `PR 47959 fix for v2.7.4 `_ CVE-2023-0779 ------------- net: shell: Improper input validation - `Zephyr project bug tracker GHSA-9xj8-6989-r549 `_ This has been fixed in main for v3.3.0 - `PR 54371 fix for main `_ - `PR 54380 fix for v3.2.0 `_ - `PR 54381 fix for v2.7.4 `_ CVE-2023-1901 ------------- HCI send_sync Dangling Semaphore Reference Re-use - `Zephyr project bug tracker GHSA-xvvm-8mcm-9cq3 `_ This has been fixed in main for v3.4.0 - `PR 56709 fix for main `_ CVE-2023-1902 ------------- HCI Connection Creation Dangling State Reference Re-use - `Zephyr project bug tracker GHSA-fx9g-8fr2-q899 `_ This has been fixed in main for v3.4.0 - `PR 56709 fix for main `_ CVE-2023-3725 ------------- Potential buffer overflow vulnerability in the Zephyr CANbus subsystem. - `Zephyr project bug tracker GHSA-2g3m-p6c7-8rr3 `_ This has been fixed in main for v3.5.0 - `PR 61502 fix for main `_ - `PR 61518 fix for 3.4 `_ - `PR 61517 fix for 3.3 `_ - `PR 61516 fix for 2.7 `_ CVE-2023-4257 ------------- Unchecked user input length in the Zephyr WiFi shell module can cause buffer overflows. - `Zephyr project bug tracker GHSA-853q-q69w-gf5j `_ This has been fixed in main for v3.5.0 - `PR 605377 fix for main `_ - `PR 61383 fix for 3.4 `_ CVE-2023-4258 ------------- bt: mesh: vulnerability in provisioning protocol implementation on provisionee side - `Zephyr project bug tracker GHSA-m34c-cp63-rwh7 `_ This has been fixed in main for v3.5.0 - `PR 59467 fix for main `_ - `PR 60078 fix for 3.4 `_ - `PR 60079 fix for 3.3 `_ CVE-2023-4259 ------------- Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver - `Zephyr project bug tracker GHSA-gghm-c696-f4j4 `_ This has been fixed in main for v3.5.0 - `PR 63074 fix for main `_ - `PR 63750 fix for main `_ CVE-2023-4260 ------------- Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem - `Zephyr project bug tracker GHSA-gj27-862r-55wh `_ This has been fixed in main for v3.5.0 - `PR 63079 fix for main `_ CVE-2023-4262 ------------- Potential buffer overflow vulnerabilities in the Zephyr Mgmt subsystem - `Zephyr project bug tracker GHSA-56p9-5p3v-hhrc `_ - This issue has not been fixed. CVE-2023-4263 ------------- Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver. - `Zephyr project bug tracker GHSA-rf6q-rhhp-pqhf `_ This has been fixed in main for v3.5.0 - `PR 60528 fix for main `_ - `PR 61384 fix for 3.4 `_ - `PR 61216 fix for 2.7 `_ CVE-2023-4264 ------------- Potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem - `Zephyr project bug tracker GHSA-rgx6-3w4j-gf5j `_ This has been fixed in main for v3.5.0 - `PR 58834 fix for main `_ - `PR 60465 fix for main `_ - `PR 61845 fix for main `_ - `PR 61385 fix for 3.4 `_ CVE-2023-4265 ------------- Two potential buffer overflow vulnerabilities in Zephyr USB code - `Zephyr project bug tracker GHSA-4vgv-5r6q-r6xh `_ This has been fixed in main for v3.4.0 - `PR 59157 fix for main `_ - `PR 59018 fix for main `_ CVE-2023-4424 ------------- bt: hci: DoS and possible RCE - `Zephyr project bug tracker GHSA-j4qm-xgpf-qjw3 `_ This has been fixed in main for v3.5.0 - `PR 61651 fix for main `_ - `PR 61696 fix for 3.4 `_ - `PR 61695 fix for 3.3 `_ - `PR 61694 fix for 2.7 `_ CVE-2023-5055 ------------- L2CAP: Possible Stack based buffer overflow in le_ecred_reconf_req() - `Zephyr project bug tracker GHSA-wr8r-7f8x-24jj `_ This has been fixed in main for v3.5.0 - `PR 62381 fix for main `_ CVE-2023-5139 ------------- Potential buffer overflow vulnerability in the Zephyr STM32 Crypto driver. - `Zephyr project bug tracker GHSA-rhrc-pcxp-4453 `_ This has been fixed in main for v3.5.0 - `PR 61839 fix for main `_ CVE-2023-5184 ------------- Potential signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver - `Zephyr project bug tracker GHSA-8x3p-q3r5-xh9g `_ This has been fixed in main for v3.5.0 - `PR 63069 fix for main `_ CVE-2023-5563 ------------- The SJA1000 CAN controller driver backend automatically attempts to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception. - `Zephyr project bug tracker GHSA-98mc-rj7w-7rpv `_ This has been fixed in main for v3.5.0 - `PR 63713 fix for main `_ - `PR 63718 fix for 3.4 `_ - `PR 63717 fix for 3.3 `_ CVE-2023-5753 ------------- Potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem source code when asserts are disabled. - `Zephyr project bug tracker GHSA-hmpr-px56-rvww `_ This has been fixed in main for v3.5.0 - `PR 63605 fix for main `_ CVE-2023-5779 ------------- Out of bounds issue in remove_rx_filter in multiple can drivers. - `Zephyr project bug tracker GHSA-7cmj-963q-jj47 `_ This has been fixed in main for v3.6.0 - `PR 64399 fix for main `_ - `PR 64416 fix for 3.5 `_ - `PR 64415 fix for 3.4 `_ - `PR 64427 fix for 3.3 `_ - `PR 64431 fix for 2.7 `_ CVE-2023-6249 ------------- Signed to unsigned conversion problem in esp32_ipm_send may lead to buffer overflow - `Zephyr project bug tracker GHSA-32f5-3p9h-2rqc `_ This has been fixed in main for v3.6.0 - `PR 65546 fix for main `_ CVE-2023-6749 ------------- Potential buffer overflow due unchecked data coming from user input in settings shell. - `Zephyr project bug tracker GHSA-757h-rw37-66hw `_ This has been fixed in main for v3.6.0 - `PR 66451 fix for main `_ - `PR 66584 fix for 3.5 `_ CVE-2023-6881 ------------- Potential buffer overflow vulnerability in Zephyr fuse file system. - `Zephyr project bug tracker GHSA-mh67-4h3q-p437 `_ This has been fixed in main for v3.6.0 - `PR 66592 fix for main `_ CVE-2024-1638 ------------- Bluetooth characteristic LESC security requirement not enforced without additional flags - `Zephyr project bug tracker GHSA-p6f3-f63q-5mc2 `_ This has been fixed in main for v3.6.0 - `PR 69170 fix for main `_