Zephyr RTOS
CVE-2026-8023
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated remote request with low complexity reads arbitrary files (PR:N, AC:L, C:H); no integrity or availability impact and scope unchanged.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Before this fix, both the HTTP/1 and HTTP/2 front-ends placed the raw, attacker-controlled request path into client-url_buffer (assembled in on_url() for HTTP/1 and copied verbatim from the :path pseudo-header for HTTP/2) without resolving ./.. segments. The static-FS handler then built the on-disk filename by directly concatenating the configured root with that raw URL (snprintk(fname, ..., "%s%s", static_fs_detail-fs_path, client-url_buffer) at http_server_http1.c:603 and http_server_http2.c:490) and opened it with fs_open(fname, FS_O_READ). Because the handler is reached via wildcard/leading-dir (fnmatch FNM_LEADING_DIR) or fallback resource matching, a request such as GET /<prefix/../../<file is dispatched to the handler and, after the underlying filesystem (e.g. LittleFS/FAT) resolves the .. segments, escapes the configured web root, letting an unauthenticated remote client read arbitrary readable files on the mounted volume (information disclosure). The HTTP server requires no TLS or authentication to reach this path. The fix adds http_server_remove_dot_segments(), which canonicalizes the path portion of the URL before resource lookup in both protocol handlers, neutralizing the traversal. Affects releases v4.0.0 through v4.4.0 for deployments that register a static-filesystem resource.
AnalysisAI
Arbitrary file read in the Zephyr RTOS HTTP server (subsys/net/lib/http) lets an unauthenticated remote client retrieve any readable file on the mounted filesystem volume by abusing path-traversal sequences against a registered static-filesystem resource. Affecting Zephyr v4.0.0 through v4.4.0 with CONFIG_FILE_SYSTEM enabled and a static-FS resource registered, the flaw stems from the raw request path being concatenated to the web root without canonicalization in both the HTTP/1 and HTTP/2 front-ends. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target firmware was built with CONFIG_FILE_SYSTEM enabled AND registers a static-filesystem HTTP resource (HTTP_RESOURCE_TYPE_STATIC_FS) reachable via wildcard/leading-directory or fallback resource matching, with the Zephyr HTTP server network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent and point to a genuine, easy-to-exploit information-disclosure issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a Zephyr-based device's HTTP server (no TLS or authentication required) sends a crafted request such as GET /static/../../etc/secret against a registered static-FS resource. The HTTP server concatenates the raw path to the web root and the underlying filesystem resolves the .. … |
| Remediation | Apply the vendor patch: upgrade to the fixed Zephyr release that includes commit f4a423c98554f209c5d2f22f041822422c9263b8, which adds http_server_remove_dot_segments() to canonicalize URL paths in both the HTTP/1 and HTTP/2 handlers (Patch available per vendor advisory; consult GHSA-hch3-53g6-jj3h for the exact released version, as the input provides the fix commit rather than a tagged release number - released patched version not independently confirmed). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all deployed instances of Zephyr RTOS versions 4.0.0-4.4.0 with HTTP server functionality and CONFIG_FILE_SYSTEM enabled; assess network exposure and test patch compatibility in isolated non-production environment. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
Forged IPv6 Neighbor Discovery acceptance in the Zephyr RTOS network stack (all releases through v4.4.0) lets an adjacen
CVE-2025-2962 is a denial-of-service vulnerability in a DNS implementation that triggers an infinite loop condition, all
Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspac
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not chec
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of s
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets. Rated high severity
Out-of-bounds write in Zephyr RTOS Bluetooth host stack allows an adjacent unauthenticated BLE peer to corrupt heap memo
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the netw
Remote denial of service in the Zephyr RTOS IPv6 network stack lets unauthenticated attackers permanently halt packet re
Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() i
Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memor
Same weakness CWE-22 – Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today