Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (zephyr) · only source for this CVE.
CVSS VectorVendor: zephyr
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_timeout_random computes a timeout as NSEC_PER_SEC >> -log_seconds; if the attacker-supplied value is sufficiently negative (e.g., -127), the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This can cause a system crash via a compiler-generated illegal instruction trap on some architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors.
AnalysisAI
Zephyr RTOS versions up to and including 4.3 expose a denial-of-service condition in the PTP (Precision Time Protocol) subsystem through improper validation of the log_announce_interval field. An unauthenticated attacker on an adjacent network can crash affected devices or induce resource starvation loops by sending a two-stage sequence of malformed PTP messages that provokes undefined behavior via an out-of-bounds bitwise shift on a 64-bit integer. No public exploit code has been identified at time of analysis, and EPSS scoring of 0.05% (17th percentile) combined with SSVC exploitation status of 'none' indicates low observed threat activity, though the deterministic crash path on certain architectures warrants patch prioritization on embedded IoT and industrial control deployments.
Technical ContextAI
Zephyr RTOS (cpe:2.3:a:zephyrproject-rtos:zephyr:*:*:*:*:*:*:*:*) is a small-footprint real-time operating system widely deployed in IoT, industrial, and embedded systems. Its PTP subsystem implements IEEE 1588 Precision Time Protocol for clock synchronization over local networks. The root cause is classified as CWE-20 (Improper Input Validation): the PTP stack accepts a signed integer log_announce_interval from a PTP_MSG_MANAGEMENT message and stores it in the port data set without bounds checking. The value is subsequently used as a negated right-shift operand in the expression NSEC_PER_SEC >> -log_seconds within port_timer_set_timeout_random. In C, shifting a 64-bit integer by an amount greater than or equal to 64 bits (or by a negative amount) is undefined behavior per the C standard. On architectures where compilers translate this to an illegal instruction trap, the result is an immediate system crash. On others, the shift silently produces zero, causing the timeout to evaluate to zero and triggering resource starvation through tight retry or polling loops.
RemediationAI
The primary remediation is to apply the fix documented in the Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3v98-458v-388r. A specific patched release version is not independently confirmed from the input data provided; operators should consult the advisory directly to identify the minimum fixed version and apply it. The upstream fix is expected to introduce bounds validation on log_announce_interval before it is used as a shift operand, rejecting values that would produce a shift of 64 or more bits. If patching is not immediately feasible, compensating controls include: disabling the PTP subsystem entirely in the Zephyr build configuration if time synchronization via PTP is not required (this eliminates the attack surface with no functional impact to non-PTP workloads); restricting Layer 2 access to PTP-enabled devices by placing them on isolated VLANs or segments with strict MAC-level ACLs to prevent untrusted peers from sending PTP management messages; and applying ingress filtering on network infrastructure to block PTP management message types (UDP port 320 / Ethernet ethertype 0x88F7) from untrusted sources. Note that VLAN isolation reduces but does not eliminate risk if the attacker has already compromised an adjacent host.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31413