Threat Intelligence Database

Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.

The Zephyr PL011 UART driver (drivers/serial/uart_pl011.c) contains an unbounded software loop in pl011_irq_tx_enable() that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit (PL011_IMSC_TXIM) is set, to work around the controller's level-transition TX-interrupt behavior. When CTS hardware flow control is enabled (devicetree hw-flow-control or runtime UART_CFG_FLOW_CTRL_RTS_CTS) and the wired serial peer de-asserts CTS, the controller stops draining the TX FIFO; pl011_fifo_fill() then returns 0 on every call while the application still has pending data and therefore never disables the TX interrupt. The loop condition never clears, so the thread that called uart_irq_tx_enable() (e.g. h4_send() in the Bluetooth HCI H4 driver) spins indefinitely, hanging the executing context and stalling the transport — a denial of service (CWE-835). An attacker controlling the device attached to the UART's CTS line can trigger the hang by withholding CTS during transmission. Impact is availability only; there is no memory-safety, confidentiality, or integrity consequence. The vulnerable loop was introduced in commit b783bc8448ef (Feb 2025) and shipped in releases v4.1.0 through v4.4.0. The fix breaks out of the loop when CTS is blocking and arms the CTS modem-status interrupt to resume transmission when CTS re-asserts.

A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.

A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.

Zephyr's ext2 directory-entry parser does not fully validate on-disk directory entry structure before copying the entry name and advancing traversal state. In ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), the code only checks de_name_len <= EXT2_MAX_FILE_NAME and then copies the name with memcpy without validating the structural relationship between de_rec_len, de_name_len, and the directory block boundary (for example that de_rec_len is non-zero, at least the size of the entry header, and that the record fits within the block). Callers such as find_dir_entry() and ext2_get_direntry() (subsys/fs/ext2/ext2_impl.c) then advance traversal using the unvalidated de_rec_len. A crafted ext2 image can therefore cause an out-of-bounds read from the directory block buffer when a malformed entry near the end of a block triggers an oversized name copy, or a zero-progress infinite loop when de_rec_len == 0. The issue is not reached at mount time but later through directory traversal paths such as pathname lookup, stat/open/unlink/rename, and readdir. The primary impact is denial of service and out-of-bounds reads under attacker-controlled ext2 images mounted from untrusted media.

A vulnerability in Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser allows a remote Bluetooth peer to cause an out-of-bounds write. This occurs during Service Level Connection setup when parsing the AG's +CIND: response, which can lead to memory corruption and denial of service. The issue affects builds with CONFIG_BT_HFP_HF enabled and has been present since version 1.7.0 through 4.4.0. No official patch or remediation has been confirmed yet.

A use-after-free vulnerability exists in Zephyr's IPv6 Neighbor Discovery send paths when per-interface ICMP-sent statistics are enabled. The issue arises because the network stack releases the packet reference before updating interface statistics, leading to a potential dereference of freed memory. This can cause corrupted statistics, crashes (denial of service), or limited memory corruption. The vulnerability affects Zephyr versions from 3.3.0 through 4.4.0 and can be triggered by unauthenticated on-link nodes sending ICMPv6 Neighbor Solicitations. Configurations without per-interface statistics are not affected by the memory safety issue.

CVE-2026-10639 is a use-after-free vulnerability in the Zephyr project's native IPv4 stack. It occurs in the icmpv4_handle_echo_request() function when handling echo-reply packets. After sending the packet, the code accesses a freed packet structure, leading to a use-after-free read and potential write through a stale pointer. This can cause corrupted interface statistics or a remotely triggerable denial of service (crash). The vulnerability affects versions from 1.14.0 through 4.4.0 and requires CONFIG_NET_STATISTICS_ICMP to be enabled.

CVE-2026-10638 is a use-after-free vulnerability in the Zephyr project's networking stack affecting ICMPv6 handling. The flaw occurs because the network interface pointer is accessed after the associated network packet may have been freed, leading to potential memory corruption. An unauthenticated remote attacker can trigger this by sending crafted ICMPv6 Echo Requests or packets that cause ICMPv6 errors, resulting in denial of service via crash. The issue affects Zephyr versions roughly from 4.2.0 through 4.4.0 with CONFIG_NET_NATIVE_IPV6 enabled. The vulnerability has a medium severity with a CVSS score of 5.9. The fix involves caching the interface pointer before sending to avoid use-after-free access during statistics updates.

CVE-2026-10637 is a use-after-free vulnerability in the Zephyr project's IPv6 multicast listener discovery (MLD) implementation. The vulnerability occurs because the network packet is accessed after ownership has been transferred and the packet freed, leading to a potential read of freed memory. This can cause a denial of service via a crash or, less likely, memory corruption. The issue is remotely triggerable on the local link without authentication by sending a valid MLDv2 General Query. The vulnerability affects Zephyr version 1.12.0 and has a medium severity rating with a CVSS score of 5.9.