CVE-2023

CVE 2023-0396

Buffer Overreads in Bluetooth HCI

• Zephyr project bug tracker GHSA-8rpp-6vxq-pqg3

CVE 2023-0397

DoS: Invalid Initialization in le_read_buffer_size_complete()

• Zephyr project bug tracker GHSA-wc2h-h868-q7hj

This has been fixed in main for v3.3.0

• PR 54905 fix for main

• PR 47957 fix for v3.2.0

• PR 47958 fix for v3.1.0

• PR 47959 fix for v2.7.4

CVE 2023-0779

net: shell: Improper input validation

• Zephyr project bug tracker GHSA-9xj8-6989-r549

This has been fixed in main for v3.3.0

• PR 54371 fix for main

• PR 54380 fix for v3.2.0

• PR 54381 fix for v2.7.4

CVE 2023-1901

HCI send_sync Dangling Semaphore Reference Re-use

• Zephyr project bug tracker GHSA-xvvm-8mcm-9cq3

This has been fixed in main for v3.4.0

• PR 56709 fix for main

CVE 2023-1902

HCI Connection Creation Dangling State Reference Re-use

• Zephyr project bug tracker GHSA-fx9g-8fr2-q899

This has been fixed in main for v3.4.0

• PR 56709 fix for main

CVE 2023-3725

Potential buffer overflow vulnerability in the Zephyr CANbus subsystem.

• Zephyr project bug tracker GHSA-2g3m-p6c7-8rr3

This has been fixed in main for v3.5.0

• PR 61502 fix for main

• PR 61518 fix for 3.4

• PR 61517 fix for 3.3

• PR 61516 fix for 2.7

CVE 2023-4257

Unchecked user input length in the Zephyr WiFi shell module can cause buffer overflows.

• Zephyr project bug tracker GHSA-853q-q69w-gf5j

This has been fixed in main for v3.5.0

• PR 605377 fix for main

• PR 61383 fix for 3.4

CVE 2023-4258

bt: mesh: vulnerability in provisioning protocol implementation on provisionee side

• Zephyr project bug tracker GHSA-m34c-cp63-rwh7

This has been fixed in main for v3.5.0

• PR 59467 fix for main

• PR 60078 fix for 3.4

• PR 60079 fix for 3.3

CVE 2023-4259

Buffer overflow vulnerabilities in the Zephyr eS-WiFi driver

• Zephyr project bug tracker GHSA-gghm-c696-f4j4

This has been fixed in main for v3.5.0

• PR 63074 fix for main

• PR 63750 fix for main

CVE 2023-4260

Off-by-one buffer overflow vulnerability in the Zephyr FS subsystem

• Zephyr project bug tracker GHSA-gj27-862r-55wh

This has been fixed in main for v3.5.0

• PR 63079 fix for main

CVE 2023-4262

• This issue has been determined to be a false positive after further analysis.

CVE 2023-4263

Potential buffer overflow vulnerability in the Zephyr IEEE 802.15.4 nRF 15.4 driver.

• Zephyr project bug tracker GHSA-rf6q-rhhp-pqhf

This has been fixed in main for v3.5.0

• PR 60528 fix for main

• PR 61384 fix for 3.4

• PR 61216 fix for 2.7

CVE 2023-4264

Potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem

• Zephyr project bug tracker GHSA-rgx6-3w4j-gf5j

This has been fixed in main for v3.5.0

• PR 58834 fix for main

• PR 60465 fix for main

• PR 61845 fix for main

• PR 61385 fix for 3.4

CVE 2023-4265

Two potential buffer overflow vulnerabilities in Zephyr USB code

• Zephyr project bug tracker GHSA-4vgv-5r6q-r6xh

This has been fixed in main for v3.4.0

• PR 59157 fix for main

• PR 59018 fix for main

CVE 2023-4424

bt: hci: DoS and possible RCE

• Zephyr project bug tracker GHSA-j4qm-xgpf-qjw3

This has been fixed in main for v3.5.0

• PR 61651 fix for main

• PR 61696 fix for 3.4

• PR 61695 fix for 3.3

• PR 61694 fix for 2.7

CVE 2023-5055

L2CAP: Possible Stack based buffer overflow in le_ecred_reconf_req()

• Zephyr project bug tracker GHSA-wr8r-7f8x-24jj

This has been fixed in main for v3.5.0

• PR 62381 fix for main

CVE 2023-5139

Potential buffer overflow vulnerability in the Zephyr STM32 Crypto driver.

• Zephyr project bug tracker GHSA-rhrc-pcxp-4453

This has been fixed in main for v3.5.0

• PR 61839 fix for main

CVE 2023-5184

Potential signed to unsigned conversion errors and buffer overflow vulnerabilities in the Zephyr IPM driver

• Zephyr project bug tracker GHSA-8x3p-q3r5-xh9g

This has been fixed in main for v3.5.0

• PR 63069 fix for main

CVE 2023-5563

The SJA1000 CAN controller driver backend automatically attempts to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception.

• Zephyr project bug tracker GHSA-98mc-rj7w-7rpv

This has been fixed in main for v3.5.0

• PR 63713 fix for main

• PR 63718 fix for 3.4

• PR 63717 fix for 3.3

CVE 2023-5753

Potential buffer overflow vulnerabilities in the Zephyr Bluetooth subsystem source code when asserts are disabled.

• Zephyr project bug tracker GHSA-hmpr-px56-rvww

This has been fixed in main for v3.5.0

• PR 63605 fix for main

CVE 2023-5779

Out of bounds issue in remove_rx_filter in multiple can drivers.

• Zephyr project bug tracker GHSA-7cmj-963q-jj47

This has been fixed in main for v3.6.0

• PR 64399 fix for main

• PR 64416 fix for 3.5

• PR 64415 fix for 3.4

• PR 64427 fix for 3.3

• PR 64431 fix for 2.7

CVE 2023-6249

Signed to unsigned conversion problem in esp32_ipm_send may lead to buffer overflow

• Zephyr project bug tracker GHSA-32f5-3p9h-2rqc

This has been fixed in main for v3.6.0

• PR 65546 fix for main

CVE 2023-6749

Potential buffer overflow due unchecked data coming from user input in settings shell.

• Zephyr project bug tracker GHSA-757h-rw37-66hw

This has been fixed in main for v3.6.0

• PR 66451 fix for main

• PR 66584 fix for 3.5

CVE 2023-6881

Potential buffer overflow vulnerability in Zephyr fuse file system.

• Zephyr project bug tracker GHSA-mh67-4h3q-p437

This has been fixed in main for v3.6.0

• PR 66592 fix for main

CVE 2023-7060

Missing Security Control in Zephyr OS IP Packet Handling

• Zephyr project bug tracker GHSA-fjc8-223c-qgqr

This has been fixed in main for v3.6.0

• PR 66645 fix for main

• PR 66739 fix for 3.5

• PR 66738 fix for 3.4

• PR 66887 fix for 2.7