CVE-2026-5067: Improper Null Termination in zephyrproject-rtos Zephyr
CVE-2026-5067 is a critical vulnerability in Zephyr version 3. 7. 0 affecting the HTTP server WebSocket upgrade path. An unauthenticated remote attacker can send a specially crafted Sec-WebSocket-Key header that triggers improper null termination in the HTTP/1 header parser. This leads to out-of-bounds read and write on stack memory, potentially causing denial of service or code execution. The vulnerability is exploitable only when the CONFIG_HTTP_SERVER_WEBSOCKET feature is enabled.
AI Analysis
Technical Summary
This vulnerability arises from the HTTP/1 header parser in Zephyr 3.7.0 copying the Sec-WebSocket-Key header into a fixed-size buffer without guaranteed null termination if the input length matches the buffer size. During WebSocket upgrade handling, this buffer is copied to a local stack buffer and passed to strlen(), which can read beyond the buffer bounds if no null terminator is present. Subsequent concatenation with the WebSocket magic string can cause out-of-bounds write on the stack, leading to memory corruption. The flaw can be triggered remotely without authentication, impacting confidentiality, integrity, and availability.
Potential Impact
Successful exploitation can result in out-of-bounds read and write on stack memory, causing application crashes (denial of service) and potentially arbitrary code execution. The vulnerability affects confidentiality, integrity, and availability of the affected system. It requires no privileges or user interaction and can be triggered remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, disabling the CONFIG_HTTP_SERVER_WEBSOCKET feature will mitigate exposure to this vulnerability. Monitor the Zephyr project advisories for updates and apply patches promptly once released.
CVE-2026-5067: Improper Null Termination in zephyrproject-rtos Zephyr
Description
CVE-2026-5067 is a critical vulnerability in Zephyr version 3. 7. 0 affecting the HTTP server WebSocket upgrade path. An unauthenticated remote attacker can send a specially crafted Sec-WebSocket-Key header that triggers improper null termination in the HTTP/1 header parser. This leads to out-of-bounds read and write on stack memory, potentially causing denial of service or code execution. The vulnerability is exploitable only when the CONFIG_HTTP_SERVER_WEBSOCKET feature is enabled.
CVSS v3.1
Score 9.8critical
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from the HTTP/1 header parser in Zephyr 3.7.0 copying the Sec-WebSocket-Key header into a fixed-size buffer without guaranteed null termination if the input length matches the buffer size. During WebSocket upgrade handling, this buffer is copied to a local stack buffer and passed to strlen(), which can read beyond the buffer bounds if no null terminator is present. Subsequent concatenation with the WebSocket magic string can cause out-of-bounds write on the stack, leading to memory corruption. The flaw can be triggered remotely without authentication, impacting confidentiality, integrity, and availability.
Potential Impact
Successful exploitation can result in out-of-bounds read and write on stack memory, causing application crashes (denial of service) and potentially arbitrary code execution. The vulnerability affects confidentiality, integrity, and availability of the affected system. It requires no privileges or user interaction and can be triggered remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, disabling the CONFIG_HTTP_SERVER_WEBSOCKET feature will mitigate exposure to this vulnerability. Monitor the Zephyr project advisories for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-03-27T22:30:27.757Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a27adb3e29bf47b504f94c8
Added to database: 6/9/2026, 6:07:47 AM
Last enriched: 6/9/2026, 6:18:28 AM
Last updated: 6/9/2026, 7:58:10 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.