HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-5067Published Modified CNA zephyr

CVE-2026-5067: Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key

A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds read and write vulnerability exists in the HTTP WebSocket upgrade path of the Zephyr RTOS HTTP server. A remote, unauthenticated attacker can reach the vulnerable code over the network by sending a crafted Sec-WebSocket-Key header, requiring no prior authentication or user interaction. Successful exploitation corrupts stack memory, enabling denial of service through a crash and potential arbitrary code execution on the affected device. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as Zephyr ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-5067 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI pipelines within minutes of upstream feed ingestion. Coverage extends to custom-built images that bundle Zephyr at or below version 4.3.0, including those built internally by customer teams.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.8 (Critical) and weighting that score against each environment's compliance policy to determine urgency. Triage routing is available per customer org, directing findings to the appropriate team inbox based on policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Zephyr advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention as soon as the fix is ingested.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Zephyr HTTP server over the network; the vulnerability is exposed on any network-accessible interface where CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

  • AuthenticationNot required

    No credentials or session token are needed; the malicious Sec-WebSocket-Key header can be sent as part of an unauthenticated HTTP upgrade request.

  • Victim interactionNot required

    No user or operator action is required; the attacker sends the crafted request directly to the server without any social-engineering step.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and condition-free; no race conditions, specific memory layouts, or environmental dependencies must be satisfied to trigger the overflow.

Blast Radius

  • The attacker crashes the Zephyr HTTP server process, taking down any service or sensor function hosted on the affected device.
  • Stack memory beyond the fixed-size buffer is read, potentially exposing in-stack data such as return addresses, local variables, or adjacent buffers.
  • Out-of-bounds writes to stack memory allow an attacker to overwrite return addresses or function pointers, enabling arbitrary code execution on the device.
  • Any data handled by the HTTP server at the time of exploitation, including request payloads and in-flight application state, is subject to tampering or disclosure.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-5067 is active and matched against all customer images on every scan cycle. Because Zephyr has not yet published a fix, no patched-image rebuild is available upstream. In the interim, HarborGuard recommends customers consider the following compensating controls where operationally feasible: apply network-policy rules to restrict inbound access to the Zephyr HTTP server port to trusted sources only; where the WebSocket upgrade feature is not required, disable CONFIG_HTTP_SERVER_WEBSOCKET at build time and rebuild the image; use egress filtering to limit the blast radius if a device is compromised. HarborGuard will re-check the Zephyr advisory on every ingest cycle, and for customers with auto-remediation enabled, a patched-image rebuild, regression test run, and PR against affected workloads will be initiated automatically as soon as an upstream fix version is published.

See how HarborGuard automates this
Affected packages
  • zephyrproject-rtos / Zephyr
    ≤ 4.3.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References