CRITICAL🇵🇱 Wersja polska

CVE-2026-5067

CVSS 9.8v3.1pub. 2026-06-09

A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

🤖 AI Analysis
How it works

The HTTP/1 header parser copies the Sec-WebSocket-Key header to a fixed-size buffer using limited copying, which does not guarantee null-termination when the input length reaches the buffer size. During WebSocket upgrade handling, the buffer is copied to a local stack buffer and passed to the strlen() function; the absence of a NUL character within the buffer bounds causes an out-of-bounds read. Subsequent concatenation with the WebSocket magic string can cause a write beyond the stack buffer bounds (out-of-bounds write, CWE-787), which is a consequence of improper NUL termination (CWE-170). The vulnerable path is only reachable when the CONFIG_HTTP_SERVER_WEBSOCKET configuration option is enabled.

Impact

An attacker can cause a device to crash (DoS) through stack memory corruption, and under favorable conditions potentially achieve remote arbitrary code execution (RCE) without requiring authentication.

Mitigation & patch

Apply patches available from the vendor according to references (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj). Until an update is applied, it is recommended to disable the CONFIG_HTTP_SERVER_WEBSOCKET option in the system configuration if the WebSocket feature is not essential.

Who is affected

Zephyr RTOS operating system with CONFIG_HTTP_SERVER_WEBSOCKET option enabled; specific versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth BypassDoSMemory
CWE
References