CVE-2025

CVE 2025-1673

Out of bounds read when calling crc16_ansi and strlen in dns_validate_msg

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

• Zephyr project bug tracker GHSA-jjhx-rrh4-j8mx

This has been fixed in main for v4.1.0

• PR 82072 fix for main

• PR 82289 fix for 4.0

• PR 82288 fix for 3.7

CVE 2025-1674

Out of bounds read when unpacking DNS answers

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

• Zephyr project bug tracker GHSA-x975-8pgf-qh66

This has been fixed in main for v4.1.0

• PR 82072 fix for main

• PR 82289 fix for 4.0

• PR 82288 fix for 3.7

CVE 2025-1675

Out of bounds read in dns_copy_qname

The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.

• Zephyr project bug tracker GHSA-2m84-5hfw-m8v4

This has been fixed in main for v4.1.0

• PR 82072 fix for main

• PR 82289 fix for 4.0

• PR 82288 fix for 3.7

CVE 2025-2962

Infinite loop in dns_copy_qname

A denial-of-service issue in the dns implementation could cause an infinite loop.

• Zephyr project bug tracker GHSA-2qp5-c2vq-g2ww

This has been fixed in main for v4.2.0

• PR 87753 fix for main

• PR 87925 fix for 4.1

• PR 87949 fix for 3.7

CVE 2025-7403

Bluetooth: bt_conn_tx_processor unsafe handling

Unsafe handling in bt_conn_tx_processor causes a use-after-free, resulting in a write-before-zero. The written 4 bytes are attacker-controlled, enabling precise memory corruption.

• Zephyr project bug tracker GHSA-9r46-cqqw-6j2j

This has been fixed in main for v4.2.0

• PR 90975 fix for main

CVE 2025-10456

Bluetooth: Semi-Arbitrary ability to make the BLE Target send disconnection requests

A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Specifically, an attacker could exploit a flaw that causes the BLE target (i.e., the device under attack) to attempt to disconnect a fixed channel, which is not allowed per the Bluetooth specification. This leads to undefined behavior, including potential assertion failures, crashes, or memory corruption.

• Zephyr project bug tracker GHSA-hcc8-3qr7-c9m8

This has been fixed in main for v4.2.0

• PR 93576 fix for main

• PR 100474 fix for 3.7

CVE 2025-10457

Bluetooth: Out-Of-Context le_conn_rsp handling

The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.

• Zephyr project bug tracker GHSA-xqj6-vh76-2vv8

This has been fixed in main for v4.2.0

• PR 94080 fix for main

CVE 2025-10458

Bluetooth: le_conn_rsp does not sanitize CID, MTU, MPS values

Parameters are not validated or sanitized, and are later used in various internal operations.

• Zephyr project bug tracker GHSA-vmww-237q-2fwp

This has been fixed in main for v4.2.0

• PR 93174 fix for main

CVE 2025-9408

Userspace privilege escalation vulnerability on Cortex M

System call entry on Cortex M (and possibly R and A, but I think not) has a race which allows very practical privilege escalation for malicious userspace processes.

• Zephyr project bug tracker GHSA-3r6j-5mp3-75wr

This has been fixed in main for v4.3.0

• PR 95101 fix for main

• PR 96850 fix for main

• PR 96014 fix for 4.2

• PR 97306 fix for 4.2

• PR 96015 fix for 4.1

• PR 97305 fix for 4.1

• PR 96030 fix for 3.7

• PR 97313 fix for 3.7

CVE 2025-9557

Bluetooth: Mesh: Out-of-Bound Write in gen_prov_cont

An out-of-bound write can lead to an arbitrary code execution. Even on devices with some form of memory protection, this can still lead to a crash and a resultant denial of service.

• Zephyr project bug tracker GHSA-r3j3-c5v7-2ppf

This has been fixed in main for v4.3.0

• PR 95061 fix for main

• PR 97518 fix for 4.2

• PR 97517 fix for 4.1

CVE 2025-9558

Bluetooth: Mesh: Out-of-Bound Write in gen_prov_start

There is a potential OOB Write vulnerability in the gen_prov_start function in pb_adv.c. The full length of the received data is copied into the link.rx.buf receiver buffer without any validation on the data size.

• Zephyr project bug tracker GHSA-8wvr-688x-68vr

This has been fixed in main for v4.3.0

• PR 95064 fix for main

• PR 97520 fix for 4.2

• PR 97519 fix for 4.1

CVE 2025-12035

Bluetooth: Integer Overflow in Bluetooth Classic (BR/EDR) L2CAP

An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.

• Zephyr project bug tracker GHSA-p793-3456-h7w3

This has been fixed in main for v4.3.0

• PR 97370 fix for main

CVE 2025-12890

Bluetooth: peripheral: Invalid handling of malformed connection request

Improper handling of malformed Connection Request with the interval set to be 1 (which supposed to be illegal) and the chM 0x7CFFFFFFFF triggers a crash. The peripheral will not be connectable after it.

• Zephyr project bug tracker GHSA-8hrf-pfww-83v9

This has been fixed in main for v4.2.0

• PR 89955 fix for main

CVE 2025-12899

net: icmp: Out of bound memory read

A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem.

• Zephyr project bug tracker GHSA-c2vg-hj83-c2vg

This has been fixed in main for v4.3.0

• PR 98780 fix for main

• PR 98983 fix for 4.2

• PR 98984 fix for 4.1

• PR 98985 fix for 3.7