Filtered by vendor Zephyrproject
Subscriptions
Filtered by product Zephyr
Subscriptions
Total
110 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10457 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-10-29 | 4.3 Medium |
| The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching. | ||||
| CVE-2025-10456 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-10-29 | 7.1 High |
| A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption, depending on the BLE stack implementation. | ||||
| CVE-2025-10458 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-10-29 | 7.6 High |
| Parameters are not validated or sanitized, and are later used in various internal operations. | ||||
| CVE-2025-7403 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-10-29 | 7.6 High |
| Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption. | ||||
| CVE-2024-10395 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-10-29 | 8.6 High |
| No proper validation of the length of user input in http_server_get_content_type_from_extension. | ||||
| CVE-2024-5754 | 1 Zephyrproject | 1 Zephyr | 2025-09-17 | 8.2 High |
| BT: Encryption procedure host vulnerability | ||||
| CVE-2024-6137 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-09-17 | 7.6 High |
| BT: Classic: SDP OOB access in get_att_search_list | ||||
| CVE-2024-6259 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-09-17 | 7.6 High |
| BT: HCI: adv_ext_report Improper discarding in adv_ext_report | ||||
| CVE-2024-8798 | 1 Zephyrproject | 1 Zephyr | 2025-09-17 | 7.5 High |
| No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. | ||||
| CVE-2024-6258 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-09-17 | 6.8 Medium |
| BT: Missing length checks of net_buf in rfcomm_handle_data | ||||
| CVE-2024-5931 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-09-17 | 6.3 Medium |
| BT: Unchecked user input in bap_broadcast_assistant | ||||
| CVE-2024-4785 | 1 Zephyrproject | 1 Zephyr | 2025-09-17 | 7.6 High |
| BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero | ||||
| CVE-2025-20696 | 6 Google, Linuxfoundation, Mediatek and 3 more | 37 Android, Yocto, Mt6739 and 34 more | 2025-08-18 | 6.8 Medium |
| In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801. | ||||
| CVE-2023-4264 | 1 Zephyrproject | 1 Zephyr | 2025-06-18 | 7.1 High |
| Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. | ||||
| CVE-2023-5184 | 1 Zephyrproject | 1 Zephyr | 2025-06-18 | 7 High |
| Two potential signed to unsigned conversion errors and buffer overflow vulnerabilities at the following locations in the Zephyr IPM drivers. | ||||
| CVE-2022-2741 | 1 Zephyrproject | 1 Zephyr | 2025-05-05 | 8.2 High |
| The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa). | ||||
| CVE-2024-1638 | 2 Zephyrproject, Zephyrproject-rtos | 2 Zephyr, Zephyr | 2025-04-24 | 8.2 High |
| The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characteristic: Attribute read/write permission with LE Secure Connection encryption. If set, requires that LE Secure Connections is used for read/write access, however this is only true when it is combined with other permissions, namely BT_GATT_PERM_READ_ENCRYPT/BT_GATT_PERM_READ_AUTHEN (for read) or BT_GATT_PERM_WRITE_ENCRYPT/BT_GATT_PERM_WRITE_AUTHEN (for write), if these additional permissions are not set (even in secure connections only mode) then the stack does not perform any permission checks on these characteristics and they can be freely written/read. | ||||
| CVE-2022-2993 | 1 Zephyrproject | 1 Zephyr | 2025-04-22 | 8.6 High |
| There is an error in the condition of the last if-statement in the function smp_check_keys. It was rejecting current keys if all requirements were unmet. | ||||
| CVE-2021-3966 | 1 Zephyrproject | 1 Zephyr | 2025-04-09 | 9.6 Critical |
| usb device bluetooth class includes a buffer overflow related to implementation of net_buf_add_mem. | ||||
| CVE-2022-0553 | 1 Zephyrproject | 1 Zephyr | 2025-04-09 | 6.5 Medium |
| There is no check to see if slot 0 is being uploaded from the device to the host. When using encrypted images this means the unencrypted firmware can be retrieved easily. | ||||