Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (zephyrproject) · only source for this CVE.
CVSS VectorVendor: zephyrproject
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
AnalysisAI
Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.
Technical ContextAI
Zephyr is a widely adopted real-time operating system (RTOS) used in resource-constrained embedded and IoT devices, maintained by the Linux Foundation's Zephyr Project. The vulnerable component is the built-in HTTP/1 server's WebSocket upgrade handler, gated by the CONFIG_HTTP_SERVER_WEBSOCKET Kconfig option. The root cause maps to CWE-170 (Improper Null Termination): the header parser uses a bounded copy primitive (likely strncpy-style) that, when the input fully fills the fixed-size destination buffer, omits the trailing NUL. Downstream code then copies that non-terminated buffer to a stack-local buffer and calls strlen() on it, walking past the buffer until it finds a stray zero byte. The subsequent concatenation with the RFC 6455 WebSocket magic GUID ('258EAFA5-E914-47DA-95CA-C5AB0DC85B11') then writes out-of-bounds on the stack, creating both an OOB read and OOB write primitive against return addresses and saved frame data.
RemediationAI
Upgrade Zephyr to a release containing the fix referenced in advisory GHSA-wgr4-9pwq-94vj (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj); the input data does not name an exact fix version, so consult the advisory for the patched tag and rebuild and reflash device firmware accordingly - patch available per vendor advisory. As a compensating control until firmware can be updated, disable CONFIG_HTTP_SERVER_WEBSOCKET in the build configuration and rebuild, which removes the vulnerable code path entirely at the cost of losing WebSocket support for any application features that depend on it. If disabling WebSocket support is not feasible, restrict network reachability of the HTTP server by binding it to a management VLAN or placing the device behind a reverse proxy that enforces a strict maximum length on the Sec-WebSocket-Key header (RFC 6455 specifies a base64-encoded 16-byte nonce, so 24 characters plus CRLF is the legitimate maximum) - note that this only mitigates external exploitation and does not protect against attackers on the same network segment.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-170 – Improper Null Termination
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35348