Description
A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
Published: 2026-06-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zephyr’s HTTP server places the Sec-WebSocket-Key header into a fixed-size buffer without NUL termination when the header’s length reaches the buffer size. During the WebSocket upgrade, this unsanitized buffer is copied again and passed to strlen(), allowing a crafted header to read beyond the buffer and subsequently write beyond the stack buffer when the WebSocket magic string is concatenated. The resulting out-of-bounds read and write can cause a crash and may enable arbitrary code execution by an unauthenticated remote attacker. The flaw is exercised only when the CONFIG_HTTP_SERVER_WEBSOCKET option is enabled.

Affected Systems

All Zephyr RTOS configurations that enable the HTTP server WebSocket support are affected. The advisory lists the Zephyr project as the vendor/product, but no specific release or version numbers are provided, so any build compiled with CONFIG_HTTP_SERVER_WEBSOCKET remains potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.8 signals critical severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits at the time of the advisory. Nonetheless the attack can be carried out remotely over the network by sending a single crafted HTTP request containing the malicious Sec-WebSocket-Key header. Because authentication is not required and the vulnerability depends only on the HTTP server being active, the risk of exploitation is high, with the potential outcome of denial of service or arbitrary code execution.

Generated by OpenCVE AI on June 9, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zephyr to the latest release that addresses the issue in the GHSA advisory.
  • If WebSocket support is not required, disable the CONFIG_HTTP_SERVER_WEBSOCKET option in the project's Kconfig to eliminate the vulnerable code path.
  • Apply network filtering or firewall rules to restrict access to the HTTP server endpoint to trusted hosts only.

Generated by OpenCVE AI on June 9, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Tue, 09 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
Title Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key
Weaknesses CWE-170
CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-09T13:12:08.853Z

Reserved: 2026-03-27T22:30:27.757Z

Link: CVE-2026-5067

cve-icon Vulnrichment

Updated: 2026-06-09T13:12:04.965Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T06:16:53.920

Modified: 2026-06-09T14:16:45.247

Link: CVE-2026-5067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T07:30:26Z

Weaknesses