CVE-2026-5067
9.8 CRITICALA remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-...
Published: 2026-06-09 · Last updated: 2026-06-09
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-170, CWE-787
Description
A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-45328 — ESF-IDF is the Espressif Internet of Things (IOT) Development Framework (9.3 CRITICAL)
- CVE-2026-44634 — SimpleBLE is a cross-platform library and bindings for Bluetooth Low Energy (BLE)
- CVE-2026-47911 — Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds write vulnerability that could result in ... (7.8 HIGH)
- CVE-2026-48306 — Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code... (7.8 HIGH)
- CVE-2026-48305 — Substance3D - Sampler versions 6.0.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code... (7.8 HIGH)