Skip to main content

Zephyr RTOS CVE-2026-5071

| EUVDEUVD-2026-33449 HIGH
Out-of-bounds Read (CWE-125)
2026-05-30 zephyr
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Local userspace app with low privileges controls the sendto length (AV:L/PR:L/AC:L); the OOB read yields memory disclosure (C:H) and crashes (A:H) but modifies no state, so I:N rather than the reported I:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 08, 2026 - 13:47 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 13:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 13:37 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 13:37 NVD
MEDIUM HIGH
CVSS changed
Jul 08, 2026 - 13:37 NVD
6.1 (MEDIUM) 7.8 (HIGH)
Analysis Generated
May 30, 2026 - 08:27 vuln.today

DescriptionNVD

The SocketCAN implementation validates the length of a user-provided buffer containing a socketcan_frame object using only a NET_ASSERT statement in zcan_sendto_ctx() before dereferencing it in socketcan_to_can_frame(). In production builds where assertions are disabled, a userspace application that controls the length passed to a sendto syscall can supply an incomplete or truncated frame, causing socketcan_to_can_frame() to dereference fields beyond the end of the buffer. This results in an out-of-bounds read that can cause denial-of-service crashes or, because the parsed frame contents are transmitted on the network, leak adjacent memory.

AnalysisAI

Out-of-bounds read in the Zephyr RTOS SocketCAN implementation lets a local userspace application leak adjacent memory or crash the system by submitting a truncated CAN frame through the sendto syscall. The zcan_sendto_ctx() path guards the user-supplied buffer length only with a NET_ASSERT, which is compiled out of production builds, so socketcan_to_can_frame() then dereferences fields past the end of the buffer. All Zephyr versions up to and including 4.3 are affected; there is no public exploit identified at time of analysis and EPSS is negligible (0.01%, 2nd percentile).

Technical ContextAI

Zephyr is an open-source real-time operating system for resource-constrained embedded and IoT devices. The flaw lives in its SocketCAN networking layer, which exposes a BSD-style socket API over the CAN (Controller Area Network) bus. When a userspace application calls sendto() with a socketcan_frame object, zcan_sendto_ctx() is supposed to verify that the caller-supplied length is large enough to hold a full frame, but it does so with a NET_ASSERT - a debug-only assertion that is disabled (compiled to a no-op) in production builds. socketcan_to_can_frame() subsequently reads frame fields (such as CAN ID, DLC, and data bytes) at fixed offsets, and with a truncated buffer those reads fall past the allocation boundary. This is a classic CWE-125 out-of-bounds read caused by trusting an assertion for security-relevant input validation rather than an unconditional runtime check.

RemediationAI

Upgrade to a Zephyr release beyond 4.3 that contains the fix; the GHSA advisory (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c3w6-x7m3-3c58) is the authoritative source for the exact patched version, which is not independently confirmed from the available data - no fixed version string was provided, so treat patch availability as per-vendor-advisory only. As a compensating control until patching, add an unconditional length check in zcan_sendto_ctx() before calling socketcan_to_can_frame(), or if you build your own image temporarily keep NET_ASSERT enabled in the affected build (trade-off: assertions increase code size and halt the system on trigger, which may be undesirable in production). Operationally, restrict which userspace applications may open and write to SocketCAN sockets, since exploitation requires a local process that can issue the sendto syscall on a CAN socket. See https://vuldb.com/vuln/367420 for supplementary tracking.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-5071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy