| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Two potential buffer overflow vulnerabilities at the following locations in the Zephyr eS-WiFi driver source code. |
| Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. |
| Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem |
| At the most basic level, an invalid pointer can be input that crashes the device, but with more knowledge of the device’s memory layout, further exploitation is possible. |
| BT: Missing Check in LL_CONNECTION_UPDATE_IND Packet Leads to Division by Zero |
| No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c. |
| When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols. |
| A malicious BLE device can send a specific order of packet sequence to cause a DoS attack on the victim BLE device |
| An malicious BLE device can crash BLE victim device by sending malformed gatt packet |
| Possible buffer overflow in is_mount_point |
| Signed to unsigned conversion esp32_ipm_send |
| can: out of bounds in remove_rx_filter function |
| Unchecked length coming from user input in settings shell |
| The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception. |
| Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. |
| An malicious BLE device can cause buffer overflow by sending malformed advertising packet BLE device using Zephyr OS, leading to DoS or potential RCE on the victim BLE device. |
| In Bluetooth mesh implementation If provisionee has a public key that is sent OOB then during provisioning it can be sent back and will be accepted by provisionee.
|
| Union variant confusion allows any malicious BT controller to execute arbitrary code on the Zephyr host. |
| The bluetooth HCI host layer logic not clearing a global reference to a state pointer after handling connection events may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer. |
| The bluetooth HCI host layer logic not clearing a global reference to a semaphore after synchronously sending HCI commands may allow a malicious HCI Controller to cause the use of a dangling reference in the host layer, leading to a crash (DoS) or potential RCE on the Host layer.
|
