Skip to main content

Zephyr RTOS CVE-2026-8023

HIGH
Path Traversal (CWE-22)
2026-06-29 zephyr
7.5
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote request with low complexity reads arbitrary files (PR:N, AC:L, C:H); no integrity or availability impact and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 22:50 vuln.today

DescriptionCVE.org

Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix/../../<file is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.

AnalysisAI

Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve any readable file on the mounted filesystem volume by abusing path-traversal sequences against a registered static-filesystem resource. Affecting Zephyr v4.0.0 through v4.4.0 with CONFIG_FILE_SYSTEM enabled and a static-FS resource registered, the flaw stems from the raw request path being concatenated to the web root without canonicalization in both the HTTP/1 and HTTP/2 front-ends. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach device HTTP server (no auth)
Delivery
Send GET with ../ traversal path
Exploit
Handler concatenates path to web root
Execution
Filesystem resolves .. past web root
Persist
Read arbitrary file via fs_open
Impact
Exfiltrate sensitive file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target firmware was built with CONFIG_FILE_SYSTEM enabled AND registers a static-filesystem HTTP resource (HTTP_RESOURCE_TYPE_STATIC_FS) reachable via wildcard/leading-directory or fallback resource matching, with the Zephyr HTTP server network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent and point to a genuine, easy-to-exploit information-disclosure issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Zephyr-based device's HTTP server (no TLS or authentication required) sends a crafted request such as GET /static/../../etc/secret against a registered static-FS resource. The HTTP server concatenates the raw path to the web root and the underlying filesystem resolves the .. …
Remediation Apply the vendor patch: upgrade to the fixed Zephyr release that includes commit f4a423c98554f209c5d2f22f041822422c9263b8, which adds http_server_remove_dot_segments() to canonicalize URL paths in both the HTTP/1 and HTTP/2 handlers (Patch available per vendor advisory; consult GHSA-hch3-53g6-jj3h for the exact released version, as the input provides the fix commit rather than a tagged release number - released patched version not independently confirmed). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all deployed instances of Zephyr RTOS versions 4.0.0-4.4.0 with HTTP server functionality and CONFIG_FILE_SYSTEM enabled; assess network exposure and test patch compatibility in isolated non-production environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2026-7656 HIGH POC
8.1 Jun 29

Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacen

CVE-2025-2962 HIGH POC
7.5 Jun 24

CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, all

CVE-2026-10643 HIGH
8.7 Jun 27

Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspac

CVE-2025-1675 HIGH
8.2 Feb 25

The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not chec

CVE-2025-1673 HIGH
8.2 Feb 25

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of s

CVE-2025-1674 HIGH
8.2 Feb 25

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. Rated high severity

CVE-2026-5068 HIGH
7.6 Jun 09

Out-of-bounds write in Zephyr RTOS Bluetooth host stack allows an adjacent unauthenticated BLE peer to corrupt heap memo

CVE-2026-10638 HIGH
7.5 Jun 16

Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the netw

CVE-2026-13351 HIGH
7.5 Jun 25

Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet re

CVE-2026-10646 HIGH
7.4 Jun 28

Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() i

CVE-2026-1679 HIGH
7.3 Mar 28

Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memor

Share

CVE-2026-8023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy