Skip to main content

Zephyr RTOS EUVDEUVD-2026-35348

| CVE-2026-5067 CRITICAL
Improper Null Termination (CWE-170)
2026-06-09 vulnerabilities@zephyrproject.org
9.8
CVSS 3.1 · Vendor: zephyrproject
Share

Severity by source

Vendor (zephyrproject) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (zephyrproject) · only source for this CVE.

CVSS VectorVendor: zephyrproject

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 08:35 vuln.today

DescriptionCVE.org

A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

AnalysisAI

Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.

Technical ContextAI

Zephyr is a widely adopted real-time operating system (RTOS) used in resource-constrained embedded and IoT devices, maintained by the Linux Foundation's Zephyr Project. The vulnerable component is the built-in HTTP/1 server's WebSocket upgrade handler, gated by the CONFIG_HTTP_SERVER_WEBSOCKET Kconfig option. The root cause maps to CWE-170 (Improper Null Termination): the header parser uses a bounded copy primitive (likely strncpy-style) that, when the input fully fills the fixed-size destination buffer, omits the trailing NUL. Downstream code then copies that non-terminated buffer to a stack-local buffer and calls strlen() on it, walking past the buffer until it finds a stray zero byte. The subsequent concatenation with the RFC 6455 WebSocket magic GUID ('258EAFA5-E914-47DA-95CA-C5AB0DC85B11') then writes out-of-bounds on the stack, creating both an OOB read and OOB write primitive against return addresses and saved frame data.

RemediationAI

Upgrade Zephyr to a release containing the fix referenced in advisory GHSA-wgr4-9pwq-94vj (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj); the input data does not name an exact fix version, so consult the advisory for the patched tag and rebuild and reflash device firmware accordingly - patch available per vendor advisory. As a compensating control until firmware can be updated, disable CONFIG_HTTP_SERVER_WEBSOCKET in the build configuration and rebuild, which removes the vulnerable code path entirely at the cost of losing WebSocket support for any application features that depend on it. If disabling WebSocket support is not feasible, restrict network reachability of the HTTP server by binding it to a management VLAN or placing the device behind a reverse proxy that enforces a strict maximum length on the Sec-WebSocket-Key header (RFC 6455 specifies a base64-encoded 16-byte nonce, so 24 characters plus CRLF is the legitimate maximum) - note that this only mitigates external exploitation and does not protect against attackers on the same network segment.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

EUVD-2026-35348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy