Skip to main content

Zephyr RTOS CVE-2026-5072

| EUVDEUVD-2026-31413 MEDIUM
Improper Input Validation (CWE-20)
2026-05-22 zephyr
6.5
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (zephyr) · only source for this CVE.

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:36 vuln.today
CVSS changed
May 26, 2026 - 15:22 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
May 22, 2026 - 07:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port's data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_timeout_random computes a timeout as NSEC_PER_SEC >> -log_seconds; if the attacker-supplied value is sufficiently negative (e.g., -127), the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This can cause a system crash via a compiler-generated illegal instruction trap on some architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors.

AnalysisAI

Zephyr RTOS versions up to and including 4.3 expose a denial-of-service condition in the PTP (Precision Time Protocol) subsystem through improper validation of the log_announce_interval field. An unauthenticated attacker on an adjacent network can crash affected devices or induce resource starvation loops by sending a two-stage sequence of malformed PTP messages that provokes undefined behavior via an out-of-bounds bitwise shift on a 64-bit integer. No public exploit code has been identified at time of analysis, and EPSS scoring of 0.05% (17th percentile) combined with SSVC exploitation status of 'none' indicates low observed threat activity, though the deterministic crash path on certain architectures warrants patch prioritization on embedded IoT and industrial control deployments.

Technical ContextAI

Zephyr RTOS (cpe:2.3:a:zephyrproject-rtos:zephyr:*:*:*:*:*:*:*:*) is a small-footprint real-time operating system widely deployed in IoT, industrial, and embedded systems. Its PTP subsystem implements IEEE 1588 Precision Time Protocol for clock synchronization over local networks. The root cause is classified as CWE-20 (Improper Input Validation): the PTP stack accepts a signed integer log_announce_interval from a PTP_MSG_MANAGEMENT message and stores it in the port data set without bounds checking. The value is subsequently used as a negated right-shift operand in the expression NSEC_PER_SEC >> -log_seconds within port_timer_set_timeout_random. In C, shifting a 64-bit integer by an amount greater than or equal to 64 bits (or by a negative amount) is undefined behavior per the C standard. On architectures where compilers translate this to an illegal instruction trap, the result is an immediate system crash. On others, the shift silently produces zero, causing the timeout to evaluate to zero and triggering resource starvation through tight retry or polling loops.

RemediationAI

The primary remediation is to apply the fix documented in the Zephyr Project security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3v98-458v-388r. A specific patched release version is not independently confirmed from the input data provided; operators should consult the advisory directly to identify the minimum fixed version and apply it. The upstream fix is expected to introduce bounds validation on log_announce_interval before it is used as a shift operand, rejecting values that would produce a shift of 64 or more bits. If patching is not immediately feasible, compensating controls include: disabling the PTP subsystem entirely in the Zephyr build configuration if time synchronization via PTP is not required (this eliminates the attack surface with no functional impact to non-PTP workloads); restricting Layer 2 access to PTP-enabled devices by placing them on isolated VLANs or segments with strict MAC-level ACLs to prevent untrusted peers from sending PTP management messages; and applying ingress filtering on network infrastructure to block PTP management message types (UDP port 320 / Ethernet ethertype 0x88F7) from untrusted sources. Note that VLAN isolation reduces but does not eliminate risk if the attacker has already compromised an adjacent host.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-5072 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy