1.. _vulnerabilities: 2 3Vulnerabilities 4############### 5 6This page collects all of the vulnerabilities that are discovered and 7fixed in each release. It will also often have more details than is 8available in the releases. Some vulnerabilities are deemed to be 9sensitive, and will not be publicly discussed until there is 10sufficient time to fix them. Because the release notes are locked to 11a version, the information here can be updated after the embargo is 12lifted. 13 14CVE-2017 15======== 16 17:cve:`2017-14199` 18----------------- 19 20Buffer overflow in :code:`getaddrinfo()`. 21 22- `Zephyr project bug tracker ZEPSEC-12 23 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-12>`_ 24 25- `PR6158 fix for 1.11.0 26 <https://github.com/zephyrproject-rtos/zephyr/pull/6158>`_ 27 28:cve:`2017-14201` 29----------------- 30 31The shell DNS command can cause unpredictable results due to misuse of 32stack variables. 33 34Use After Free vulnerability in the Zephyr shell allows a serial or 35telnet connected user to cause denial of service, and possibly remote 36code execution. 37 38This has been fixed in release v1.14.0. 39 40- `Zephyr project bug tracker ZEPSEC-17 41 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-17>`_ 42 43- `PR13260 fix for v1.14.0 44 <https://github.com/zephyrproject-rtos/zephyr/pull/13260>`_ 45 46:cve:`2017-14202` 47----------------- 48 49The shell implementation does not protect against buffer overruns 50resulting in unpredictable behavior. 51 52Improper Restriction of Operations within the Bounds of a Memory 53Buffer vulnerability in the shell component of Zephyr allows a serial 54or telnet connected user to cause a crash, possibly with arbitrary 55code execution. 56 57This has been fixed in release v1.14.0. 58 59- `Zephyr project bug tracker ZEPSEC-18 60 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-18>`_ 61 62- `PR13048 fix for v1.14.0 63 <https://github.com/zephyrproject-rtos/zephyr/pull/13048>`_ 64 65CVE-2019 66======== 67 68:cve:`2019-9506` 69---------------- 70 71The Bluetooth BR/EDR specification up to and including version 5.1 72permits sufficiently low encryption key length and does not prevent an 73attacker from influencing the key length negotiation. This allows 74practical brute-force attacks (aka "KNOB") that can decrypt traffic 75and inject arbitrary ciphertext without the victim noticing. 76 77- `Zephyr project bug tracker ZEPSEC-20 78 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-20>`_ 79 80- `PR18702 fix for v1.14.0 81 <https://github.com/zephyrproject-rtos/zephyr/pull/18702>`_ 82 83- `PR18659 fix for v2.0.0 84 <https://github.com/zephyrproject-rtos/zephyr/pull/18659>`_ 85 86CVE-2020 87======== 88 89:cve:`2020-10019` 90----------------- 91 92Buffer Overflow vulnerability in USB DFU of zephyr allows a USB 93connected host to cause possible remote code execution. 94 95This has been fixed in releases v1.14.2, v2.2.0, and v2.1.1. 96 97- `Zephyr project bug tracker ZEPSEC-25 98 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-25>`_ 99 100- `PR23460 fix for 1.14.x 101 <https://github.com/zephyrproject-rtos/zephyr/pull/23460>`_ 102 103- `PR23457 fix for 2.1.x 104 <https://github.com/zephyrproject-rtos/zephyr/pull/23457>`_ 105 106- `PR23190 fix in 2.2.0 107 <https://github.com/zephyrproject-rtos/zephyr/pull/23190>`_ 108 109:cve:`2020-10021` 110----------------- 111 112Out-of-bounds write in USB Mass Storage with unaligned sizes 113 114Out-of-bounds Write in the USB Mass Storage memoryWrite handler with 115unaligned Sizes. 116 117See NCC-ZEP-024, NCC-ZEP-025, NCC-ZEP-026 118 119This has been fixed in releases v1.14.2, and v2.2.0. 120 121- `Zephyr project bug tracker ZEPSEC-26 122 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-26>`_ 123 124- `PR23455 fix for v1.14.2 125 <https://github.com/zephyrproject-rtos/zephyr/pull/23455>`_ 126 127- `PR23456 fix for the v2.1 branch 128 <https://github.com/zephyrproject-rtos/zephyr/pull/23456>`_ 129 130- `PR23240 fix for v2.2.0 131 <https://github.com/zephyrproject-rtos/zephyr/pull/23240>`_ 132 133:cve:`2020-10022` 134----------------- 135 136UpdateHub Module Copies a Variable-Size Hash String Into a Fixed-Size Array 137 138A malformed JSON payload that is received from an UpdateHub server may 139trigger memory corruption in the Zephyr OS. This could result in a 140denial of service in the best case, or code execution in the worst 141case. 142 143See NCC-ZEP-016 144 145This has been fixed in the below pull requests for main, branch from 146v2.1.0, and branch from v2.2.0. 147 148- `Zephyr project bug tracker ZEPSEC-28 149 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-28>`_ 150 151- `PR24154 fix for main 152 <https://github.com/zephyrproject-rtos/zephyr/pull/24154>`_ 153 154- `PR24065 fix for branch from v2.1.0 155 <https://github.com/zephyrproject-rtos/zephyr/pull/24065>`_ 156 157- `PR24066 fix for branch from v2.2.0 158 <https://github.com/zephyrproject-rtos/zephyr/pull/24066>`_ 159 160:cve:`2020-10023` 161----------------- 162 163Shell Subsystem Contains a Buffer Overflow Vulnerability In 164shell_spaces_trim 165 166The shell subsystem contains a buffer overflow, whereby an adversary 167with physical access to the device is able to cause a memory 168corruption, resulting in denial of service or possibly code execution 169within the Zephyr kernel. 170 171See NCC-ZEP-019 172 173This has been fixed in releases v1.14.2, v2.2.0, and in a branch from 174v2.1.0, 175 176- `Zephyr project bug tracker ZEPSEC-29 177 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-29>`_ 178 179- `PR23646 fix for v1.14.2 180 <https://github.com/zephyrproject-rtos/zephyr/pull/23646>`_ 181 182- `PR23649 fix for branch from v2.1.0 183 <https://github.com/zephyrproject-rtos/zephyr/pull/23649>`_ 184 185- `PR23304 fix for v2.2.0 186 <https://github.com/zephyrproject-rtos/zephyr/pull/23304>`_ 187 188:cve:`2020-10024` 189----------------- 190 191ARM Platform Uses Signed Integer Comparison When Validating Syscall 192Numbers 193 194The arm platform-specific code uses a signed integer comparison when 195validating system call numbers. An attacker who has obtained code 196execution within a user thread is able to elevate privileges to that 197of the kernel. 198 199See NCC-ZEP-001 200 201This has been fixed in releases v1.14.2, and v2.2.0, and in a branch 202from v2.1.0, 203 204- `Zephyr project bug tracker ZEPSEC-30 205 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-30>`_ 206 207- `PR23535 fix for v1.14.2 208 <https://github.com/zephyrproject-rtos/zephyr/pull/23535>`_ 209 210- `PR23498 fix for branch from v2.1.0 211 <https://github.com/zephyrproject-rtos/zephyr/pull/23498>`_ 212 213- `PR23323 fix for v2.2.0 214 <https://github.com/zephyrproject-rtos/zephyr/pull/23323>`_ 215 216:cve:`2020-10027` 217----------------- 218 219ARC Platform Uses Signed Integer Comparison When Validating Syscall 220Numbers 221 222An attacker who has obtained code execution within a user thread is 223able to elevate privileges to that of the kernel. 224 225See NCC-ZEP-001 226 227This has been fixed in releases v1.14.2, and v2.2.0, and in a branch 228from v2.1.0. 229 230- `Zephyr project bug tracker ZEPSEC-35 231 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-35>`_ 232 233- `PR23500 fix for v1.14.2 234 <https://github.com/zephyrproject-rtos/zephyr/pull/23500>`_ 235 236- `PR23499 fix for branch from v2.1.0 237 <https://github.com/zephyrproject-rtos/zephyr/pull/23499>`_ 238 239- `PR23328 fix for v2.2.0 240 <https://github.com/zephyrproject-rtos/zephyr/pull/23328>`_ 241 242:cve:`2020-10028` 243----------------- 244 245Multiple Syscalls In GPIO Subsystem Performs No Argument Validation 246 247Multiple syscalls with insufficient argument validation 248 249See NCC-ZEP-006 250 251This has been fixed in releases v1.14.2, and v2.2.0, and in a branch 252from v2.1.0. 253 254- `Zephyr project bug tracker ZEPSEC-32 255 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-32>`_ 256 257- `PR23733 fix for v1.14.2 258 <https://github.com/zephyrproject-rtos/zephyr/pull/23733>`_ 259 260- `PR23737 fix for branch from v2.1.0 261 <https://github.com/zephyrproject-rtos/zephyr/pull/23737>`_ 262 263- `PR23308 fix for v2.2.0 (gpio patch) 264 <https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_ 265 266:cve:`2020-10058` 267----------------- 268 269Multiple Syscalls In kscan Subsystem Performs No Argument Validation 270 271Multiple syscalls in the Kscan subsystem perform insufficient argument 272validation, allowing code executing in userspace to potentially gain 273elevated privileges. 274 275See NCC-ZEP-006 276 277This has been fixed in a branch from v2.1.0, and release v2.2.0. 278 279- `Zephyr project bug tracker ZEPSEC-34 280 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-34>`_ 281 282- `PR23748 fix for branch from v2.1.0 283 <https://github.com/zephyrproject-rtos/zephyr/pull/23748>`_ 284 285- `PR23308 fix for v2.2.0 (kscan patch) 286 <https://github.com/zephyrproject-rtos/zephyr/pull/23308>`_ 287 288:cve:`2020-10059` 289----------------- 290 291UpdateHub Module Explicitly Disables TLS Verification 292 293The UpdateHub module disables DTLS peer checking, which allows for a 294man in the middle attack. This is mitigated by firmware images 295requiring valid signatures. However, there is no benefit to using DTLS 296without the peer checking. 297 298See NCC-ZEP-018 299 300This has been fixed in a PR against Zephyr main. 301 302- `Zephyr project bug tracker ZEPSEC-36 303 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-36>`_ 304 305- `PR24954 fix on main (to be fixed in v2.3.0) 306 <https://github.com/zephyrproject-rtos/zephyr/pull/24954>`_ 307 308- `PR24954 fix v2.1.0 309 <https://github.com/zephyrproject-rtos/zephyr/pull/24999>`_ 310 311- `PR24954 fix v2.2.0 312 <https://github.com/zephyrproject-rtos/zephyr/pull/24997>`_ 313 314:cve:`2020-10060` 315----------------- 316 317UpdateHub Might Dereference An Uninitialized Pointer 318 319In updatehub_probe, right after JSON parsing is complete, objects\[1] 320is accessed from the output structure in two different places. If the 321JSON contained less than two elements, this access would reference 322uninitialized stack memory. This could result in a crash, denial of 323service, or possibly an information leak. 324 325Recommend disabling updatehub until such a time as a fix can be made 326available. 327 328See NCC-ZEP-030 329 330This has been fixed in a PR against Zephyr main. 331 332- `Zephyr project bug tracker ZEPSEC-37 333 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-37>`_ 334 335- `PR27865 fix on main (to be fixed in v2.4.0) 336 <https://github.com/zephyrproject-rtos/zephyr/pull/27865>`_ 337 338- `PR27865 fix for v2.3.0 339 <https://github.com/zephyrproject-rtos/zephyr/pull/27889>`_ 340 341- `PR27865 fix for v2.2.0 342 <https://github.com/zephyrproject-rtos/zephyr/pull/27891>`_ 343 344- `PR27865 fix for v2.1.0 345 <https://github.com/zephyrproject-rtos/zephyr/pull/27893>`_ 346 347:cve:`2020-10061` 348----------------- 349 350Error handling invalid packet sequence 351 352Improper handling of the full-buffer case in the Zephyr Bluetooth 353implementation can result in memory corruption. 354 355This has been fixed in branches for v1.14.0, v2.2.0, and will be 356included in v2.3.0. 357 358- `Zephyr project bug tracker ZEPSEC-75 359 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-75>`_ 360 361- `PR23516 fix for v2.3 (split driver) 362 <https://github.com/zephyrproject-rtos/zephyr/pull/23516>`_ 363 364- `PR23517 fix for v2.3 (legacy driver) 365 <https://github.com/zephyrproject-rtos/zephyr/pull/23517>`_ 366 367- `PR23091 fix for branch from v1.14.0 368 <https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_ 369 370- `PR23547 fix for branch from v2.2.0 371 <https://github.com/zephyrproject-rtos/zephyr/pull/23547>`_ 372 373:cve:`2020-10062` 374----------------- 375 376Packet length decoding error in MQTT 377 378CVE: An off-by-one error in the Zephyr project MQTT packet length 379decoder can result in memory corruption and possible remote code 380execution. NCC-ZEP-031 381 382The MQTT packet header length can be 1 to 4 bytes. An off-by-one error 383in the code can result in this being interpreted as 5 bytes, which can 384cause an integer overflow, resulting in memory corruption. 385 386This has been fixed in main for v2.3. 387 388- `Zephyr project bug tracker ZEPSEC-84 389 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-84>`_ 390 391- `commit 11b7a37d for v2.3 392 <https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/11b7a37d9a0b438270421b224221d91929843de4>`_ 393 394- `NCC-ZEP report`_ (NCC-ZEP-031) 395 396.. _NCC-ZEP report: https://research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment 397 398:cve:`2020-10063` 399----------------- 400 401Remote Denial of Service in CoAP Option Parsing Due To Integer 402Overflow 403 404A remote adversary with the ability to send arbitrary CoAP packets to 405be parsed by Zephyr is able to cause a denial of service. 406 407This has been fixed in main for v2.3. 408 409- `Zephyr project bug tracker ZEPSEC-55 410 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-55>`_ 411 412- `PR24435 fix in main for v2.3 413 <https://github.com/zephyrproject-rtos/zephyr/pull/24435>`_ 414 415- `PR24531 fix for branch from v2.2 416 <https://github.com/zephyrproject-rtos/zephyr/pull/24531>`_ 417 418- `PR24535 fix for branch from v2.1 419 <https://github.com/zephyrproject-rtos/zephyr/pull/24535>`_ 420 421- `PR24530 fix for branch from v1.14 422 <https://github.com/zephyrproject-rtos/zephyr/pull/24530>`_ 423 424- `NCC-ZEP report`_ (NCC-ZEP-032) 425 426:cve:`2020-10064` 427----------------- 428 429Improper Input Frame Validation in ieee802154 Processing 430 431- `Zephyr project bug tracker ZEPSEC-65 432 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-65>`_ 433 434- `PR24971 fix for v2.4 435 <https://github.com/zephyrproject-rtos/zephyr/pull/24971>`_ 436 437- `PR33451 fix for v1.4 438 <https://github.com/zephyrproject-rtos/zephyr/pull/33451>`_ 439 440:cve:`2020-10065` 441----------------- 442 443OOB Write after not validating user-supplied length (<= 0xffff) and 444copying to fixed-size buffer (default: 77 bytes) for HCI_ACL packets in 445bluetooth HCI over SPI driver. 446 447- `Zephyr project bug tracker ZEPSEC-66 448 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-66>`_ 449 450- This issue has not been fixed. 451 452:cve:`2020-10066` 453----------------- 454 455Incorrect Error Handling in Bluetooth HCI core 456 457In hci_cmd_done, the buf argument being passed as null causes 458nullpointer dereference. 459 460- `Zephyr project bug tracker ZEPSEC-67 461 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-67>`_ 462 463- `PR24902 fix for v2.4 464 <https://github.com/zephyrproject-rtos/zephyr/pull/24902>`_ 465 466- `PR25089 fix for v1.4 467 <https://github.com/zephyrproject-rtos/zephyr/pull/25089>`_ 468 469:cve:`2020-10067` 470----------------- 471 472Integer Overflow In is_in_region Allows User Thread To Access Kernel Memory 473 474A malicious userspace application can cause a integer overflow and 475bypass security checks performed by system call handlers. The impact 476would depend on the underlying system call and can range from denial 477of service to information leak to memory corruption resulting in code 478execution within the kernel. 479 480See NCC-ZEP-005 481 482This has been fixed in releases v1.14.2, and v2.2.0. 483 484- `Zephyr project bug tracker ZEPSEC-27 485 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-27>`_ 486 487- `PR23653 fix for v1.14.2 488 <https://github.com/zephyrproject-rtos/zephyr/pull/23653>`_ 489 490- `PR23654 fix for the v2.1 branch 491 <https://github.com/zephyrproject-rtos/zephyr/pull/23654>`_ 492 493- `PR23239 fix for v2.2.0 494 <https://github.com/zephyrproject-rtos/zephyr/pull/23239>`_ 495 496:cve:`2020-10068` 497----------------- 498 499Zephyr Bluetooth DLE duplicate requests vulnerability 500 501In the Zephyr project Bluetooth subsystem, certain duplicate and 502back-to-back packets can cause incorrect behavior, resulting in a 503denial of service. 504 505This has been fixed in branches for v1.14.0, v2.2.0, and will be 506included in v2.3.0. 507 508- `Zephyr project bug tracker ZEPSEC-78 509 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-78>`_ 510 511- `PR23707 fix for v2.3 (split driver) 512 <https://github.com/zephyrproject-rtos/zephyr/pull/23707>`_ 513 514- `PR23708 fix for v2.3 (legacy driver) 515 <https://github.com/zephyrproject-rtos/zephyr/pull/23708>`_ 516 517- `PR23091 fix for branch from v1.14.0 518 <https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_ 519 520- `PR23964 fix for v2.2.0 521 <https://github.com/zephyrproject-rtos/zephyr/pull/23964>`_ 522 523:cve:`2020-10069` 524----------------- 525 526Zephyr Bluetooth unchecked packet data results in denial of service 527 528An unchecked parameter in bluetooth data can result in an assertion 529failure, or division by zero, resulting in a denial of service attack. 530 531This has been fixed in branches for v1.14.0, v2.2.0, and will be 532included in v2.3.0. 533 534- `Zephyr project bug tracker ZEPSEC-81 535 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-81>`_ 536 537- `PR23705 fix for v2.3 (split driver) 538 <https://github.com/zephyrproject-rtos/zephyr/pull/23705>`_ 539 540- `PR23706 fix for v2.3 (legacy driver) 541 <https://github.com/zephyrproject-rtos/zephyr/pull/23706>`_ 542 543- `PR23091 fix for branch from v1.14.0 544 <https://github.com/zephyrproject-rtos/zephyr/pull/23091>`_ 545 546- `PR23963 fix for branch from v2.2.0 547 <https://github.com/zephyrproject-rtos/zephyr/pull/23963>`_ 548 549:cve:`2020-10070` 550----------------- 551 552MQTT buffer overflow on receive buffer 553 554In the Zephyr Project MQTT code, improper bounds checking can result 555in memory corruption and possibly remote code execution. NCC-ZEP-031 556 557When calculating the packet length, arithmetic overflow can result in 558accepting a receive buffer larger than the available buffer space, 559resulting in user data being written beyond this buffer. 560 561This has been fixed in main for v2.3. 562 563- `Zephyr project bug tracker ZEPSEC-85 564 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-85>`_ 565 566- `commit 0b39cbf3 for v2.3 567 <https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/0b39cbf3c01d7feec9d0dd7cc7e0e374b6113542>`_ 568 569- `NCC-ZEP report`_ (NCC-ZEP-031) 570 571:cve:`2020-10071` 572----------------- 573 574Insufficient publish message length validation in MQTT 575 576The Zephyr MQTT parsing code performs insufficient checking of the 577length field on publish messages, allowing a buffer overflow and 578potentially remote code execution. NCC-ZEP-031 579 580This has been fixed in main for v2.3. 581 582- `Zephyr project bug tracker ZEPSEC-86 583 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-86>`_ 584 585- `commit 989c4713 fix for v2.3 586 <https://github.com/zephyrproject-rtos/zephyr/pull/23821/commits/989c4713ba429aa5105fe476b4d629718f3e6082>`_ 587 588- `NCC-ZEP report`_ (NCC-ZEP-031) 589 590:cve:`2020-10072` 591----------------- 592 593All threads can access all socket file descriptors 594 595There is no management of permissions to network socket API file 596descriptors. Any thread running on the system may read/write a socket 597file descriptor knowing only the numerical value of the file 598descriptor. 599 600- `Zephyr project bug tracker ZEPSEC-87 601 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-87>`_ 602 603- `PR25804 fix for v2.4 604 <https://github.com/zephyrproject-rtos/zephyr/pull/25804>`_ 605 606- `PR27176 fix for v1.4 607 <https://github.com/zephyrproject-rtos/zephyr/pull/27176>`_ 608 609:cve:`2020-10136` 610----------------- 611 612IP-in-IP protocol routes arbitrary traffic by default zephyrproject 613 614- `Zephyr project bug tracker ZEPSEC-64 615 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-64>`_ 616 617:cve:`2020-13598` 618----------------- 619 620FS: Buffer Overflow when enabling Long File Names in FAT_FS and calling fs_stat 621 622Performing fs_stat on a file with a filename longer than 12 623characters long will cause a buffer overflow. 624 625- `Zephyr project bug tracker ZEPSEC-88 626 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-88>`_ 627 628- `PR25852 fix for v2.4 629 <https://github.com/zephyrproject-rtos/zephyr/pull/25852>`_ 630 631- `PR28782 fix for v2.3 632 <https://github.com/zephyrproject-rtos/zephyr/pull/28782>`_ 633 634- `PR33577 fix for v1.4 635 <https://github.com/zephyrproject-rtos/zephyr/pull/33577>`_ 636 637:cve:`2020-13599` 638----------------- 639 640Security problem with settings and littlefs 641 642When settings is used in combination with littlefs all security 643related information can be extracted from the device using MCUmgr and 644this could be used e.g in bt-mesh to get the device key, network key, 645app keys from the device. 646 647- `Zephyr project bug tracker ZEPSEC-57 648 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-57>`_ 649 650- `PR26083 fix for v2.4 651 <https://github.com/zephyrproject-rtos/zephyr/pull/26083>`_ 652 653:cve:`2020-13600` 654----------------- 655 656Malformed SPI in response for eswifi can corrupt kernel memory 657 658 659- `Zephyr project bug tracker ZEPSEC-91 660 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-91>`_ 661 662- `PR26712 fix for v2.4 663 <https://github.com/zephyrproject-rtos/zephyr/pull/26712>`_ 664 665:cve:`2020-13601` 666----------------- 667 668Possible read out of bounds in dns read 669 670- `Zephyr project bug tracker ZEPSEC-92 671 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-92>`_ 672 673- `PR27774 fix for v2.4 674 <https://github.com/zephyrproject-rtos/zephyr/pull/27774>`_ 675 676- `PR30503 fix for v1.4 677 <https://github.com/zephyrproject-rtos/zephyr/pull/30503>`_ 678 679:cve:`2020-13602` 680----------------- 681 682Remote Denial of Service in LwM2M do_write_op_tlv 683 684In the Zephyr LwM2M implementation, malformed input can result in an 685infinite loop, resulting in a denial of service attack. 686 687- `Zephyr project bug tracker ZEPSEC-56 688 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-56>`_ 689 690- `PR26571 fix for v2.4 691 <https://github.com/zephyrproject-rtos/zephyr/pull/26571>`_ 692 693- `PR33578 fix for v1.4 694 <https://github.com/zephyrproject-rtos/zephyr/pull/33578>`_ 695 696:cve:`2020-13603` 697----------------- 698 699Possible overflow in mempool 700 701 * Zephyr offers pre-built 'malloc' wrapper function instead. 702 * The 'malloc' function is wrapper for the 'sys_mem_pool_alloc' function 703 * sys_mem_pool_alloc allocates 'size + WB_UP(sizeof(struct sys_mem_pool_block))' in an unsafe manner. 704 * Asking for very large size values leads to internal integer wrap-around. 705 * Integer wrap-around leads to successful allocation of very small memory. 706 * For example: calling malloc(0xffffffff) leads to successful allocation of 7 bytes. 707 * That leads to heap overflow. 708 709- `Zephyr project bug tracker ZEPSEC-111 710 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-111>`_ 711 712- `PR31796 fix for v2.4 713 <https://github.com/zephyrproject-rtos/zephyr/pull/31796>`_ 714 715- `PR32808 fix for v1.4 716 <https://github.com/zephyrproject-rtos/zephyr/pull/26571>`_ 717 718CVE-2021 719======== 720 721:cve:`2021-3319` 722---------------- 723 724DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses 725 726Improper processing of omitted source and destination addresses in 727ieee802154 frame validation (ieee802154_validate_frame) 728 729This has been fixed in main for v2.5.0 730 731- `Zephyr project bug tracker GHSA-94jg-2p6q-5364 732 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364>`_ 733 734- `PR31908 fix for main 735 <https://github.com/zephyrproject-rtos/zephyr/pull/31908>`_ 736 737:cve:`2021-3320` 738---------------- 739Mismatch between validation and handling of 802154 ACK frames, where 740ACK frames are considered during validation, but not during actual 741processing, leading to a type confusion. 742 743- `PR31908 fix for main 744 <https://github.com/zephyrproject-rtos/zephyr/pull/31908>`_ 745 746:cve:`2021-3321` 747---------------- 748 749Incomplete check of minimum IEEE 802154 fragment size leading to an 750integer underflow. 751 752- `Zephyr project bug tracker ZEPSEC-114 753 <https://zephyrprojectsec.atlassian.net/browse/ZEPSEC-114>`_ 754 755- `PR33453 fix for v2.4 756 <https://github.com/zephyrproject-rtos/zephyr/pull/33453>`_ 757 758:cve:`2021-3323` 759---------------- 760 761Integer Underflow in 6LoWPAN IPHC Header Uncompression 762 763This has been fixed in main for v2.5.0 764 765- `Zephyr project bug tracker GHSA-89j6-qpxf-pfpc 766 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-89j6-qpxf-pfpc>`_ 767 768- `PR 31971 fix for main 769 <https://github.com/zephyrproject-rtos/zephyr/pull/31971>`_ 770 771:cve:`2021-3430` 772---------------- 773 774Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. 775 776This has been fixed in main for v2.6.0 777 778- `Zephyr project bug tracker GHSA-46h3-hjcq-2jjr 779 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-46h3-hjcq-2jjr>`_ 780 781- `PR 33272 fix for main 782 <https://github.com/zephyrproject-rtos/zephyr/pull/33272>`_ 783 784- `PR 33369 fix for 2.5 785 <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_ 786 787- `PR 33759 fix for 1.14.2 788 <https://github.com/zephyrproject-rtos/zephyr/pull/33759>`_ 789 790:cve:`2021-3431` 791---------------- 792 793BT: Assertion failure on repeated LL_FEATURE_REQ 794 795This has been fixed in main for v2.6.0 796 797- `Zephyr project bug tracker GHSA-7548-5m6f-mqv9 798 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7548-5m6f-mqv9>`_ 799 800- `PR 33340 fix for main 801 <https://github.com/zephyrproject-rtos/zephyr/pull/33340>`_ 802 803- `PR 33369 fix for 2.5 804 <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_ 805 806:cve:`2021-3432` 807---------------- 808 809Invalid interval in CONNECT_IND leads to Division by Zero 810 811This has been fixed in main for v2.6.0 812 813- `Zephyr project bug tracker GHSA-7364-p4wc-8mj4 814 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7364-p4wc-8mj4>`_ 815 816- `PR 33278 fix for main 817 <https://github.com/zephyrproject-rtos/zephyr/pull/33278>`_ 818 819- `PR 33369 fix for 2.5 820 <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_ 821 822:cve:`2021-3433` 823---------------- 824 825BT: Invalid channel map in CONNECT_IND results to Deadlock 826 827This has been fixed in main for v2.6.0 828 829- `Zephyr project bug tracker GHSA-3c2f-w4v6-qxrp 830 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3c2f-w4v6-qxrp>`_ 831 832- `PR 33278 fix for main 833 <https://github.com/zephyrproject-rtos/zephyr/pull/33278>`_ 834 835- `PR 33369 fix for 2.5 836 <https://github.com/zephyrproject-rtos/zephyr/pull/33369>`_ 837 838:cve:`2021-3434` 839---------------- 840 841L2CAP: Stack based buffer overflow in le_ecred_conn_req() 842 843This has been fixed in main for v2.6.0 844 845- `Zephyr project bug tracker GHSA-8w87-6rfp-cfrm 846 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8w87-6rfp-cfrm>`_ 847 848- `PR 33305 fix for main 849 <https://github.com/zephyrproject-rtos/zephyr/pull/33305>`_ 850 851- `PR 33419 fix for 2.5 852 <https://github.com/zephyrproject-rtos/zephyr/pull/33419>`_ 853 854- `PR 33418 fix for 1.14.2 855 <https://github.com/zephyrproject-rtos/zephyr/pull/33418>`_ 856 857:cve:`2021-3435` 858---------------- 859 860L2CAP: Information leakage in le_ecred_conn_req() 861 862This has been fixed in main for v2.6.0 863 864- `Zephyr project bug tracker GHSA-xhg3-gvj6-4rqh 865 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xhg3-gvj6-4rqh>`_ 866 867- `PR 33305 fix for main 868 <https://github.com/zephyrproject-rtos/zephyr/pull/33305>`_ 869 870- `PR 33419 fix for 2.5 871 <https://github.com/zephyrproject-rtos/zephyr/pull/33419>`_ 872 873- `PR 33418 fix for 1.14.2 874 <https://github.com/zephyrproject-rtos/zephyr/pull/33418>`_ 875 876:cve:`2021-3436` 877---------------- 878 879Bluetooth: Possible to overwrite an existing bond during keys 880distribution phase when the identity address of the bond is known 881 882During the distribution of the identity address information we don’t 883check for an existing bond with the same identity address.This means 884that a duplicate entry will be created in RAM while the newest entry 885will overwrite the existing one in persistent storage. 886 887This has been fixed in main for v2.6.0 888 889- `Zephyr project bug tracker GHSA-j76f-35mc-4h63 890 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63>`_ 891 892- `PR 33266 fix for main 893 <https://github.com/zephyrproject-rtos/zephyr/pull/33266>`_ 894 895- `PR 33432 fix for 2.5 896 <https://github.com/zephyrproject-rtos/zephyr/pull/33432>`_ 897 898- `PR 33433 fix for 2.4 899 <https://github.com/zephyrproject-rtos/zephyr/pull/33433>`_ 900 901- `PR 33718 fix for 1.14.2 902 <https://github.com/zephyrproject-rtos/zephyr/pull/33718>`_ 903 904:cve:`2021-3454` 905---------------- 906 907Truncated L2CAP K-frame causes assertion failure 908 909For example, sending L2CAP K-frame where SDU length field is truncated 910to only one byte, causes assertion failure in previous releases of 911Zephyr. This has been fixed in master by commit 0ba9437 but has not 912yet been backported to older release branches. 913 914This has been fixed in main for v2.6.0 915 916- `Zephyr project bug tracker GHSA-fx88-6c29-vrp3 917 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3>`_ 918 919- `PR 32588 fix for main 920 <https://github.com/zephyrproject-rtos/zephyr/pull/32588>`_ 921 922- `PR 33513 fix for 2.5 923 <https://github.com/zephyrproject-rtos/zephyr/pull/33513>`_ 924 925- `PR 33514 fix for 2.4 926 <https://github.com/zephyrproject-rtos/zephyr/pull/33514>`_ 927 928:cve:`2021-3455` 929---------------- 930 931Disconnecting L2CAP channel right after invalid ATT request leads freeze 932 933When Central device connects to peripheral and creates L2CAP 934connection for Enhanced ATT, sending some invalid ATT request and 935disconnecting immediately causes freeze. 936 937This has been fixed in main for v2.6.0 938 939- `Zephyr project bug tracker GHSA-7g38-3x9v-v7vp 940 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp>`_ 941 942- `PR 35597 fix for main 943 <https://github.com/zephyrproject-rtos/zephyr/pull/35597>`_ 944 945- `PR 36104 fix for 2.5 946 <https://github.com/zephyrproject-rtos/zephyr/pull/36104>`_ 947 948- `PR 36105 fix for 2.4 949 <https://github.com/zephyrproject-rtos/zephyr/pull/36105>`_ 950 951:cve:`2021-3510` 952---------------- 953 954Zephyr JSON decoder incorrectly decodes array of array 955 956When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token 957type JSON_TOK_LIST_START, but then assigns to the object part of the 958union. arr_parse then takes the offset of the array-object (which has 959nothing todo with the list) treats it as relative to the parent 960object, and stores the length of the subarray in there. 961 962This has been fixed in main for v2.7.0 963 964- `Zephyr project bug tracker GHSA-289f-7mw3-2qf4 965 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4>`_ 966 967- `PR 36340 fix for main 968 <https://github.com/zephyrproject-rtos/zephyr/pull/36340>`_ 969 970- `PR 37816 fix for 2.6 971 <https://github.com/zephyrproject-rtos/zephyr/pull/37816>`_ 972 973:cve:`2021-3581` 974---------------- 975 976HCI data not properly checked leads to memory overflow in the Bluetooth stack 977 978In the process of setting SCAN_RSP through the HCI command, the Zephyr 979Bluetooth protocol stack did not effectively check the length of the 980incoming HCI data. Causes memory overflow, and then the data in the 981memory is overwritten, and may even cause arbitrary code execution. 982 983This has been fixed in main for v2.6.0 984 985- `Zephyr project bug tracker GHSA-8q65-5gqf-fmw5 986 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8q65-5gqf-fmw5>`_ 987 988- `PR 35935 fix for main 989 <https://github.com/zephyrproject-rtos/zephyr/pull/35935>`_ 990 991- `PR 35984 fix for 2.5 992 <https://github.com/zephyrproject-rtos/zephyr/pull/35984>`_ 993 994- `PR 35985 fix for 2.4 995 <https://github.com/zephyrproject-rtos/zephyr/pull/35985>`_ 996 997- `PR 35985 fix for 1.14 998 <https://github.com/zephyrproject-rtos/zephyr/pull/35985>`_ 999 1000:cve:`2021-3625` 1001---------------- 1002 1003Buffer overflow in Zephyr USB DFU DNLOAD 1004 1005This has been fixed in main for v2.6.0 1006 1007- `Zephyr project bug tracker GHSA-c3gr-hgvr-f363 1008 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3gr-hgvr-f363>`_ 1009 1010- `PR 36694 fix for main 1011 <https://github.com/zephyrproject-rtos/zephyr/pull/36694>`_ 1012 1013:cve:`2021-3835` 1014---------------- 1015 1016Buffer overflow in Zephyr USB device class 1017 1018This has been fixed in main for v3.0.0 1019 1020- `Zephyr project bug tracker GHSA-fm6v-8625-99jf 1021 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fm6v-8625-99jf>`_ 1022 1023- `PR 42093 fix for main 1024 <https://github.com/zephyrproject-rtos/zephyr/pull/42093>`_ 1025 1026- `PR 42167 fix for 2.7 1027 <https://github.com/zephyrproject-rtos/zephyr/pull/42167>`_ 1028 1029:cve:`2021-3861` 1030---------------- 1031 1032Buffer overflow in the RNDIS USB device class 1033 1034This has been fixed in main for v3.0.0 1035 1036- `Zephyr project bug tracker GHSA-hvfp-w4h8-gxvj 1037 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hvfp-w4h8-gxvj>`_ 1038 1039- `PR 39725 fix for main 1040 <https://github.com/zephyrproject-rtos/zephyr/pull/39725>`_ 1041 1042:cve:`2021-3966` 1043---------------- 1044 1045Usb bluetooth device ACL read cb buffer overflow 1046 1047This has been fixed in main for v3.0.0 1048 1049- `Zephyr project bug tracker GHSA-hfxq-3w6x-fv2m 1050 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hfxq-3w6x-fv2m>`_ 1051 1052- `PR 42093 fix for main 1053 <https://github.com/zephyrproject-rtos/zephyr/pull/42093>`_ 1054 1055- `PR 42167 fix for v2.7.0 1056 <https://github.com/zephyrproject-rtos/zephyr/pull/42167>`_ 1057 1058CVE-2022 1059======== 1060 1061:cve:`2022-0553` 1062---------------- 1063 1064Possible to retrieve unencrypted firmware image 1065 1066This has been fixed in main for v3.0.0 1067 1068- `Zephyr project bug tracker GHSA-wrj2-9vj9-rrcp 1069 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wrj2-9vj9-rrcp>`_ 1070 1071- `PR 42424 fix for main 1072 <https://github.com/zephyrproject-rtos/zephyr/pull/42424>`_ 1073 1074:cve:`2022-1041` 1075---------------- 1076 1077Out-of-bound write vulnerability in the Bluetooth Mesh core stack can be triggered during provisioning 1078 1079This has been fixed in main for v3.1.0 1080 1081- `Zephyr project bug tracker GHSA-p449-9hv9-pj38 1082 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p449-9hv9-pj38>`_ 1083 1084- `PR 45136 fix for main 1085 <https://github.com/zephyrproject-rtos/zephyr/pull/45136>`_ 1086 1087- `PR 45188 fix for v3.0.0 1088 <https://github.com/zephyrproject-rtos/zephyr/pull/45188>`_ 1089 1090- `PR 45187 fix for v2.7.0 1091 <https://github.com/zephyrproject-rtos/zephyr/pull/45187>`_ 1092 1093:cve:`2022-1042` 1094---------------- 1095 1096Out-of-bound write vulnerability in the Bluetooth Mesh core stack can be triggered during provisioning 1097 1098This has been fixed in main for v3.1.0 1099 1100- `Zephyr project bug tracker GHSA-j7v7-w73r-mm5x 1101 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j7v7-w73r-mm5x>`_ 1102 1103- `PR 45066 fix for main 1104 <https://github.com/zephyrproject-rtos/zephyr/pull/45066>`_ 1105 1106- `PR 45135 fix for v3.0.0 1107 <https://github.com/zephyrproject-rtos/zephyr/pull/45135>`_ 1108 1109- `PR 45134 fix for v2.7.0 1110 <https://github.com/zephyrproject-rtos/zephyr/pull/45134>`_ 1111 1112:cve:`2022-1841` 1113---------------- 1114 1115Out-of-Bound Write in tcp_flags 1116 1117This has been fixed in main for v3.1.0 1118 1119- `Zephyr project bug tracker GHSA-5c3j-p8cr-2pgh 1120 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-5c3j-p8cr-2pgh>`_ 1121 1122- `PR 45796 fix for main 1123 <https://github.com/zephyrproject-rtos/zephyr/pull/45796>`_ 1124 1125:cve:`2022-2741` 1126---------------- 1127 1128can: denial-of-service can be triggered by a crafted CAN frame 1129 1130This has been fixed in main for v3.2.0 1131 1132- `Zephyr project bug tracker GHSA-hx5v-j59q-c3j8 1133 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hx5v-j59q-c3j8>`_ 1134 1135- `PR 47903 fix for main 1136 <https://github.com/zephyrproject-rtos/zephyr/pull/47903>`_ 1137 1138- `PR 47957 fix for v3.1.0 1139 <https://github.com/zephyrproject-rtos/zephyr/pull/47957>`_ 1140 1141- `PR 47958 fix for v3.0.0 1142 <https://github.com/zephyrproject-rtos/zephyr/pull/47958>`_ 1143 1144- `PR 47959 fix for v2.7.0 1145 <https://github.com/zephyrproject-rtos/zephyr/pull/47959>`_ 1146 1147:cve:`2022-2993` 1148---------------- 1149 1150bt: host: Wrong key validation check 1151 1152This has been fixed in main for v3.2.0 1153 1154- `Zephyr project bug tracker GHSA-3286-jgjx-8cvr 1155 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3286-jgjx-8cvr>`_ 1156 1157- `PR 48733 fix for main 1158 <https://github.com/zephyrproject-rtos/zephyr/pull/48733>`_ 1159 1160:cve:`2022-3806` 1161---------------- 1162 1163DoS: Invalid Initialization in le_read_buffer_size_complete() 1164 1165- `Zephyr project bug tracker GHSA-w525-fm68-ppq3 1166 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-w525-fm68-ppq3>`_ 1167 1168CVE-2023 1169======== 1170 1171:cve:`2023-0396` 1172---------------- 1173 1174Buffer Overreads in Bluetooth HCI 1175 1176- `Zephyr project bug tracker GHSA-8rpp-6vxq-pqg3 1177 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8rpp-6vxq-pqg3>`_ 1178 1179:cve:`2023-0397` 1180---------------- 1181 1182DoS: Invalid Initialization in le_read_buffer_size_complete() 1183 1184- `Zephyr project bug tracker GHSA-wc2h-h868-q7hj 1185 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wc2h-h868-q7hj>`_ 1186 1187This has been fixed in main for v3.3.0 1188 1189- `PR 54905 fix for main 1190 <https://github.com/zephyrproject-rtos/zephyr/pull/54905>`_ 1191 1192- `PR 47957 fix for v3.2.0 1193 <https://github.com/zephyrproject-rtos/zephyr/pull/55024>`_ 1194 1195- `PR 47958 fix for v3.1.0 1196 <https://github.com/zephyrproject-rtos/zephyr/pull/55023>`_ 1197 1198- `PR 47959 fix for v2.7.4 1199 <https://github.com/zephyrproject-rtos/zephyr/pull/55022>`_ 1200 1201:cve:`2023-0779` 1202---------------- 1203 1204net: shell: Improper input validation 1205 1206- `Zephyr project bug tracker GHSA-9xj8-6989-r549 1207 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-9xj8-6989-r549>`_ 1208 1209This has been fixed in main for v3.3.0 1210 1211- `PR 54371 fix for main 1212 <https://github.com/zephyrproject-rtos/zephyr/pull/54371>`_ 1213 1214- `PR 54380 fix for v3.2.0 1215 <https://github.com/zephyrproject-rtos/zephyr/pull/54380>`_ 1216 1217- `PR 54381 fix for v2.7.4 1218 <https://github.com/zephyrproject-rtos/zephyr/pull/54381>`_ 1219 1220:cve:`2023-1901` 1221---------------- 1222 1223HCI send_sync Dangling Semaphore Reference Re-use 1224 1225- `Zephyr project bug tracker GHSA-xvvm-8mcm-9cq3 1226 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xvvm-8mcm-9cq3>`_ 1227 1228This has been fixed in main for v3.4.0 1229 1230- `PR 56709 fix for main 1231 <https://github.com/zephyrproject-rtos/zephyr/pull/56709>`_ 1232 1233:cve:`2023-1902` 1234---------------- 1235 1236HCI Connection Creation Dangling State Reference Re-use 1237 1238- `Zephyr project bug tracker GHSA-fx9g-8fr2-q899 1239 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx9g-8fr2-q899>`_ 1240 1241This has been fixed in main for v3.4.0 1242 1243- `PR 56709 fix for main 1244 <https://github.com/zephyrproject-rtos/zephyr/pull/56709>`_ 1245 1246:cve:`2023-3725` 1247---------------- 1248 1249Potential buffer overflow vulnerability in the Zephyr CANbus subsystem. 1250 1251- `Zephyr project bug tracker GHSA-2g3m-p6c7-8rr3 1252 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-2g3m-p6c7-8rr3>`_ 1253 1254This has been fixed in main for v3.5.0 1255 1256- `PR 61502 fix for main 1257 <https://github.com/zephyrproject-rtos/zephyr/pull/61502>`_ 1258 1259- `PR 61518 fix for 3.4 1260 <https://github.com/zephyrproject-rtos/zephyr/pull/61518>`_ 1261 1262- `PR 61517 fix for 3.3 1263 <https://github.com/zephyrproject-rtos/zephyr/pull/61517>`_ 1264 1265- `PR 61516 fix for 2.7 1266 <https://github.com/zephyrproject-rtos/zephyr/pull/61516>`_ 1267 1268:cve:`2023-4257` 1269---------------- 1270 1271Unchecked user input length in the Zephyr WiFi shell module can cause 1272buffer overflows. 1273 1274- `Zephyr project bug tracker GHSA-853q-q69w-gf5j 1275 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-853q-q69w-gf5j>`_ 1276 1277This has been fixed in main for v3.5.0 1278 1279- `PR 605377 fix for main 1280 <https://github.com/zephyrproject-rtos/zephyr/pull/605377>`_ 1281 1282- `PR 61383 fix for 3.4 1283 <https://github.com/zephyrproject-rtos/zephyr/pull/61383>`_ 1284 1285:cve:`2023-4258` 1286---------------- 1287 1288bt: mesh: vulnerability in provisioning protocol implementation on provisionee side 1289 1290- `Zephyr project bug tracker GHSA-m34c-cp63-rwh7 1291 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-m34c-cp63-rwh7>`_ 1292 1293This has been fixed in main for v3.5.0 1294 1295- `PR 59467 fix for main 1296 <https://github.com/zephyrproject-rtos/zephyr/pull/59467>`_ 1297 1298- `PR 60078 fix for 3.4 1299 <https://github.com/zephyrproject-rtos/zephyr/pull/60078>`_ 1300 1301- `PR 60079 fix for 3.3 1302 <https://github.com/zephyrproject-rtos/zephyr/pull/60079>`_ 1303 1304:cve:`2023-4259` 1305---------------- 1306 1307Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver 1308 1309- `Zephyr project bug tracker GHSA-gghm-c696-f4j4 1310 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gghm-c696-f4j4>`_ 1311 1312This has been fixed in main for v3.5.0 1313 1314- `PR 63074 fix for main 1315 <https://github.com/zephyrproject-rtos/zephyr/pull/63074>`_ 1316 1317- `PR 63750 fix for main 1318 <https://github.com/zephyrproject-rtos/zephyr/pull/63750>`_ 1319 1320:cve:`2023-4260` 1321---------------- 1322 1323Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem 1324 1325- `Zephyr project bug tracker GHSA-gj27-862r-55wh 1326 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gj27-862r-55wh>`_ 1327 1328This has been fixed in main for v3.5.0 1329 1330- `PR 63079 fix for main 1331 <https://github.com/zephyrproject-rtos/zephyr/pull/63079>`_ 1332 1333:cve:`2023-4262` 1334---------------- 1335 1336- This issue has been determined to be a false positive after further analysis. 1337 1338:cve:`2023-4263` 1339---------------- 1340 1341Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver. 1342 1343- `Zephyr project bug tracker GHSA-rf6q-rhhp-pqhf 1344 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rf6q-rhhp-pqhf>`_ 1345 1346This has been fixed in main for v3.5.0 1347 1348- `PR 60528 fix for main 1349 <https://github.com/zephyrproject-rtos/zephyr/pull/60528>`_ 1350 1351- `PR 61384 fix for 3.4 1352 <https://github.com/zephyrproject-rtos/zephyr/pull/61384>`_ 1353 1354- `PR 61216 fix for 2.7 1355 <https://github.com/zephyrproject-rtos/zephyr/pull/61216>`_ 1356 1357:cve:`2023-4264` 1358---------------- 1359 1360Potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem 1361 1362- `Zephyr project bug tracker GHSA-rgx6-3w4j-gf5j 1363 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rgx6-3w4j-gf5j>`_ 1364 1365This has been fixed in main for v3.5.0 1366 1367- `PR 58834 fix for main 1368 <https://github.com/zephyrproject-rtos/zephyr/pull/58834>`_ 1369 1370- `PR 60465 fix for main 1371 <https://github.com/zephyrproject-rtos/zephyr/pull/60465>`_ 1372 1373- `PR 61845 fix for main 1374 <https://github.com/zephyrproject-rtos/zephyr/pull/61845>`_ 1375 1376- `PR 61385 fix for 3.4 1377 <https://github.com/zephyrproject-rtos/zephyr/pull/61385>`_ 1378 1379:cve:`2023-4265` 1380---------------- 1381 1382Two potential buffer overflow vulnerabilities in Zephyr USB code 1383 1384- `Zephyr project bug tracker GHSA-4vgv-5r6q-r6xh 1385 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4vgv-5r6q-r6xh>`_ 1386 1387This has been fixed in main for v3.4.0 1388 1389- `PR 59157 fix for main 1390 <https://github.com/zephyrproject-rtos/zephyr/pull/59157>`_ 1391- `PR 59018 fix for main 1392 <https://github.com/zephyrproject-rtos/zephyr/pull/59018>`_ 1393 1394:cve:`2023-4424` 1395---------------- 1396 1397bt: hci: DoS and possible RCE 1398 1399- `Zephyr project bug tracker GHSA-j4qm-xgpf-qjw3 1400 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j4qm-xgpf-qjw3>`_ 1401 1402This has been fixed in main for v3.5.0 1403 1404- `PR 61651 fix for main 1405 <https://github.com/zephyrproject-rtos/zephyr/pull/61651>`_ 1406 1407- `PR 61696 fix for 3.4 1408 <https://github.com/zephyrproject-rtos/zephyr/pull/61696>`_ 1409 1410- `PR 61695 fix for 3.3 1411 <https://github.com/zephyrproject-rtos/zephyr/pull/61695>`_ 1412 1413- `PR 61694 fix for 2.7 1414 <https://github.com/zephyrproject-rtos/zephyr/pull/61694>`_ 1415 1416 1417:cve:`2023-5055` 1418---------------- 1419 1420L2CAP: Possible Stack based buffer overflow in le_ecred_reconf_req() 1421 1422- `Zephyr project bug tracker GHSA-wr8r-7f8x-24jj 1423 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wr8r-7f8x-24jj>`_ 1424 1425This has been fixed in main for v3.5.0 1426 1427- `PR 62381 fix for main 1428 <https://github.com/zephyrproject-rtos/zephyr/pull/62381>`_ 1429 1430 1431:cve:`2023-5139` 1432---------------- 1433 1434Potential buffer overflow vulnerability in the Zephyr STM32 Crypto driver. 1435 1436- `Zephyr project bug tracker GHSA-rhrc-pcxp-4453 1437 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-rhrc-pcxp-4453>`_ 1438 1439This has been fixed in main for v3.5.0 1440 1441- `PR 61839 fix for main 1442 <https://github.com/zephyrproject-rtos/zephyr/pull/61839>`_ 1443 1444:cve:`2023-5184` 1445---------------- 1446 1447Potential signed to unsigned conversion errors and buffer overflow 1448vulnerabilities in the Zephyr IPM driver 1449 1450- `Zephyr project bug tracker GHSA-8x3p-q3r5-xh9g 1451 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-8x3p-q3r5-xh9g>`_ 1452 1453This has been fixed in main for v3.5.0 1454 1455- `PR 63069 fix for main 1456 <https://github.com/zephyrproject-rtos/zephyr/pull/63069>`_ 1457 1458:cve:`2023-5563` 1459---------------- 1460 1461The SJA1000 CAN controller driver backend automatically attempts to recover 1462from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This 1463results in calling k_sleep() in IRQ context, causing a fatal exception. 1464 1465- `Zephyr project bug tracker GHSA-98mc-rj7w-7rpv 1466 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-98mc-rj7w-7rpv>`_ 1467 1468This has been fixed in main for v3.5.0 1469 1470- `PR 63713 fix for main 1471 <https://github.com/zephyrproject-rtos/zephyr/pull/63713>`_ 1472 1473- `PR 63718 fix for 3.4 1474 <https://github.com/zephyrproject-rtos/zephyr/pull/63718>`_ 1475 1476- `PR 63717 fix for 3.3 1477 <https://github.com/zephyrproject-rtos/zephyr/pull/63717>`_ 1478 1479:cve:`2023-5753` 1480---------------- 1481 1482Potential buffer overflow vulnerabilities in the Zephyr Bluetooth 1483subsystem source code when asserts are disabled. 1484 1485- `Zephyr project bug tracker GHSA-hmpr-px56-rvww 1486 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-hmpr-px56-rvww>`_ 1487 1488This has been fixed in main for v3.5.0 1489 1490- `PR 63605 fix for main 1491 <https://github.com/zephyrproject-rtos/zephyr/pull/63605>`_ 1492 1493 1494:cve:`2023-5779` 1495---------------- 1496 1497Out of bounds issue in remove_rx_filter in multiple can drivers. 1498 1499- `Zephyr project bug tracker GHSA-7cmj-963q-jj47 1500 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7cmj-963q-jj47>`_ 1501 1502This has been fixed in main for v3.6.0 1503 1504- `PR 64399 fix for main 1505 <https://github.com/zephyrproject-rtos/zephyr/pull/64399>`_ 1506 1507- `PR 64416 fix for 3.5 1508 <https://github.com/zephyrproject-rtos/zephyr/pull/64416>`_ 1509 1510- `PR 64415 fix for 3.4 1511 <https://github.com/zephyrproject-rtos/zephyr/pull/64415>`_ 1512 1513- `PR 64427 fix for 3.3 1514 <https://github.com/zephyrproject-rtos/zephyr/pull/64427>`_ 1515 1516- `PR 64431 fix for 2.7 1517 <https://github.com/zephyrproject-rtos/zephyr/pull/64431>`_ 1518 1519:cve:`2023-6249` 1520---------------- 1521 1522Signed to unsigned conversion problem in esp32_ipm_send may lead to buffer overflow 1523 1524- `Zephyr project bug tracker GHSA-32f5-3p9h-2rqc 1525 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-32f5-3p9h-2rqc>`_ 1526 1527This has been fixed in main for v3.6.0 1528 1529- `PR 65546 fix for main 1530 <https://github.com/zephyrproject-rtos/zephyr/pull/65546>`_ 1531 1532:cve:`2023-6749` 1533---------------- 1534 1535Potential buffer overflow due unchecked data coming from user input in settings shell. 1536 1537- `Zephyr project bug tracker GHSA-757h-rw37-66hw 1538 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-757h-rw37-66hw>`_ 1539 1540This has been fixed in main for v3.6.0 1541 1542- `PR 66451 fix for main 1543 <https://github.com/zephyrproject-rtos/zephyr/pull/66451>`_ 1544 1545- `PR 66584 fix for 3.5 1546 <https://github.com/zephyrproject-rtos/zephyr/pull/66584>`_ 1547 1548:cve:`2023-6881` 1549---------------- 1550 1551Potential buffer overflow vulnerability in Zephyr fuse file system. 1552 1553- `Zephyr project bug tracker GHSA-mh67-4h3q-p437 1554 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-mh67-4h3q-p437>`_ 1555 1556This has been fixed in main for v3.6.0 1557 1558- `PR 66592 fix for main 1559 <https://github.com/zephyrproject-rtos/zephyr/pull/66592>`_ 1560 1561:cve:`2023-7060` 1562---------------- 1563 1564Missing Security Control in Zephyr OS IP Packet Handling 1565 1566- `Zephyr project bug tracker GHSA-fjc8-223c-qgqr 1567 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fjc8-223c-qgqr>`_ 1568 1569This has been fixed in main for v3.6.0 1570 1571- `PR 66645 fix for main 1572 <https://github.com/zephyrproject-rtos/zephyr/pull/66645>`_ 1573 1574- `PR 66739 fix for 3.5 1575 <https://github.com/zephyrproject-rtos/zephyr/pull/66739>`_ 1576 1577- `PR 66738 fix for 3.4 1578 <https://github.com/zephyrproject-rtos/zephyr/pull/66738>`_ 1579 1580- `PR 66887 fix for 2.7 1581 <https://github.com/zephyrproject-rtos/zephyr/pull/66887>`_ 1582 1583CVE-2024 1584======== 1585 1586:cve:`2024-1638` 1587---------------- 1588 1589Bluetooth characteristic LESC security requirement not enforced without additional flags 1590 1591- `Zephyr project bug tracker GHSA-p6f3-f63q-5mc2 1592 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p6f3-f63q-5mc2>`_ 1593 1594This has been fixed in main for v3.6.0 1595 1596- `PR 69170 fix for main 1597 <https://github.com/zephyrproject-rtos/zephyr/pull/69170>`_ 1598 1599:cve:`2024-3077` 1600---------------- 1601 1602Bluetooth: Integer underflow in gatt_find_info_rsp. A malicious BLE 1603device can crash BLE victim device by sending malformed gatt packet. 1604 1605- `Zephyr project bug tracker GHSA-gmfv-4vfh-2mh8 1606 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gmfv-4vfh-2mh8>`_ 1607 1608This has been fixed in main for v3.7.0 1609 1610- `PR 69396 fix for main 1611 <https://github.com/zephyrproject-rtos/zephyr/pull/69396>`_ 1612 1613:cve:`2024-3332` 1614---------------- 1615 1616Bluetooth: DoS caused by null pointer dereference. 1617 1618A malicious BLE device can send a specific order of packet 1619sequence to cause a DoS attack on the victim BLE device. 1620 1621- `Zephyr project bug tracker GHSA-jmr9-xw2v-5vf4 1622 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-jmr9-xw2v-5vf4>`_ 1623 1624This has been fixed in main for v3.7.0 1625 1626- `PR 71030 fix for main 1627 <https://github.com/zephyrproject-rtos/zephyr/pull/71030>`_ 1628 1629 1630:cve:`2024-4785` 1631---------------- 1632 1633Bluetooth: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero 1634 1635- `Zephyr project bug tracker GHSA-xcr5-5g98-mchp 1636 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-xcr5-5g98-mchp>`_ 1637 1638This has been fixed in main for v3.7.0 1639 1640- `PR 72608 fix for main 1641 <https://github.com/zephyrproject-rtos/zephyr/pull/72608>`_ 1642 1643:cve:`2024-5754` 1644---------------- 1645 1646BT: Encryption procedure host vulnerability 1647 1648- `Zephyr project bug tracker GHSA-gvv5-66hw-5qrc 1649 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gvv5-66hw-5qrc>`_ 1650 1651This has been fixed in main for v3.7.0 1652 1653- `PR 7395 fix for main 1654 <https://github.com/zephyrproject-rtos/zephyr/pull/7395>`_ 1655 1656- `PR 74124 fix for 3.6 1657 <https://github.com/zephyrproject-rtos/zephyr/pull/74124>`_ 1658 1659- `PR 74123 fix for 3.5 1660 <https://github.com/zephyrproject-rtos/zephyr/pull/74123>`_ 1661 1662- `PR 74122 fix for 2.7 1663 <https://github.com/zephyrproject-rtos/zephyr/pull/74122>`_ 1664 1665:cve:`2024-5931` 1666---------------- 1667 1668BT: Unchecked user input in bap_broadcast_assistant 1669 1670- `Zephyr project bug tracker GHSA-r8h3-64gp-wv7f 1671 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r8h3-64gp-wv7f>`_ 1672 1673This has been fixed in main for v3.7.0 1674 1675- `PR 74062 fix for main 1676 <https://github.com/zephyrproject-rtos/zephyr/pull/74062>`_ 1677 1678- `PR 77966 fix for 3.6 1679 <https://github.com/zephyrproject-rtos/zephyr/pull/77966>`_ 1680 1681 1682:cve:`2024-6135` 1683---------------- 1684 1685BT:Classic: Multiple missing buf length checks 1686 1687- `Zephyr project bug tracker GHSA-2mp4-4g6f-cqcx 1688 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-2mp4-4g6f-cqcx>`_ 1689 1690This has been fixed in main for v3.7.0 1691 1692- `PR 74283 fix for main 1693 <https://github.com/zephyrproject-rtos/zephyr/pull/74283>`_ 1694 1695- `PR 77964 fix for 3.6 1696 <https://github.com/zephyrproject-rtos/zephyr/pull/77964>`_ 1697 1698:cve:`2024-6137` 1699---------------- 1700 1701BT: Classic: SDP OOB access in get_att_search_list 1702 1703- `Zephyr project bug tracker GHSA-pm38-7g85-cf4f 1704 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-pm38-7g85-cf4f>`_ 1705 1706This has been fixed in main for v3.7.0 1707 1708- `PR 75575 fix for main 1709 <https://github.com/zephyrproject-rtos/zephyr/pull/75575>`_ 1710 1711:cve:`2024-6258` 1712---------------- 1713 1714BT: Missing length checks of net_buf in rfcomm_handle_data 1715 1716- `Zephyr project bug tracker GHSA-7833-fcpm-3ggm 1717 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7833-fcpm-3ggm>`_ 1718 1719This has been fixed in main for v3.7.0 1720 1721- `PR 74640 fix for main 1722 <https://github.com/zephyrproject-rtos/zephyr/pull/74640>`_ 1723 1724:cve:`2024-6259` 1725---------------- 1726 1727BT: HCI: adv_ext_report Improper discarding in adv_ext_report 1728 1729- `Zephyr project bug tracker GHSA-p5j7-v26w-wmcp 1730 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p5j7-v26w-wmcp>`_ 1731 1732This has been fixed in main for v3.7.0 1733 1734- `PR 74639 fix for main 1735 <https://github.com/zephyrproject-rtos/zephyr/pull/74639>`_ 1736 1737- `PR 77960 fix for 3.6 1738 <https://github.com/zephyrproject-rtos/zephyr/pull/77960>`_ 1739 1740:cve:`2024-6442` 1741---------------- 1742 1743Bluetooth: ASCS Unchecked tailroom of the response buffer 1744 1745- `Zephyr project bug tracker GHSA-m22j-ccg7-4v4h 1746 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-m22j-ccg7-4v4h>`_ 1747 1748This has been fixed in main for v3.7.0 1749 1750- `PR 74976 fix for main 1751 <https://github.com/zephyrproject-rtos/zephyr/pull/74976>`_ 1752 1753- `PR 77958 fix for 3.6 1754 <https://github.com/zephyrproject-rtos/zephyr/pull/77958>`_ 1755 1756:cve:`2024-6443` 1757---------------- 1758 1759zephyr: out-of-bound read in utf8_trunc 1760 1761- `Zephyr project bug tracker GHSA-gg46-3rh2-v765 1762 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-gg46-3rh2-v765>`_ 1763 1764This has been fixed in main for v3.7.0 1765 1766- `PR 74949 fix for main 1767 <https://github.com/zephyrproject-rtos/zephyr/pull/74949>`_ 1768 1769- `PR 78286 fix for 3.6 1770 <https://github.com/zephyrproject-rtos/zephyr/pull/78286>`_ 1771 1772:cve:`2024-6444` 1773---------------- 1774 1775Bluetooth: ots: missing buffer length check 1776 1777- `Zephyr project bug tracker GHSA-qj4r-chj6-h7qp 1778 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-qj4r-chj6-h7qp>`_ 1779 1780This has been fixed in main for v3.7.0 1781 1782- `PR 74944 fix for main 1783 <https://github.com/zephyrproject-rtos/zephyr/pull/74944>`_ 1784 1785- `PR 77954 fix for 3.6 1786 <https://github.com/zephyrproject-rtos/zephyr/pull/77954>`_ 1787 1788:cve:`2024-8798` 1789---------------- 1790 1791Bluetooth: classic: avdtp: missing buffer length check 1792 1793- `Zephyr project bug tracker GHSA-r7pm-f93f-f7fp 1794 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-r7pm-f93f-f7fp>`_ 1795 1796This has been fixed in main for v4.0.0 1797 1798- `PR 77969 fix for main 1799 <https://github.com/zephyrproject-rtos/zephyr/pull/77969>`_ 1800 1801- `PR 78409 fix for 3.7 1802 <https://github.com/zephyrproject-rtos/zephyr/pull/78409>`_ 1803 1804:cve:`2024-10395` 1805----------------- 1806 1807Under embargo until 2025-01-23 1808 1809:cve:`2024-11263` 1810----------------- 1811 1812arch: riscv: userspace: potential security risk when CONFIG_RISCV_GP=y 1813 1814A rogue thread can corrupt the gp reg and cause the entire system to hard fault at best, at worst, 1815it can potentially trick the system to access another set of random global symbols. 1816 1817- `Zephyr project bug tracker GHSA-jjf3-7x72-pqm9 1818 <https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-jjf3-7x72-pqm9>`_ 1819 1820This has been fixed in main for v4.0.0 1821 1822- `PR 81155 fix for main 1823 <https://github.com/zephyrproject-rtos/zephyr/pull/81155>`_ 1824 1825- `PR 81370 fix for 3.7 1826 <https://github.com/zephyrproject-rtos/zephyr/pull/81370>`_ 1827
