Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-3510

Summary
Assigner-zephyr
Assigner Org ID-e2e69745-5e70-4e92-8431-deb5529a81ad
Published At-05 Oct, 2021 | 20:50
Updated At-16 Sep, 2024 | 19:04
Rejected At-
Credits

Zephyr JSON decoder incorrectly decodes array of array

Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:zephyr
Assigner Org ID:e2e69745-5e70-4e92-8431-deb5529a81ad
Published At:05 Oct, 2021 | 20:50
Updated At:16 Sep, 2024 | 19:04
Rejected At:
▼CVE Numbering Authority (CNA)
Zephyr JSON decoder incorrectly decodes array of array

Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

Affected Products
Vendor
Zephyr Projectzephyrproject-rtos
Product
zephyr
Versions
Affected
  • From >1.14.0 before unspecified (custom)
  • From >2.5.0 before unspecified (custom)
Problem Types
TypeCWE IDDescription
CWECWE-588Attempt to Access Child of a Non-structure Pointer (CWE-588)
Type: CWE
CWE ID: CWE-588
Description: Attempt to Access Child of a Non-structure Pointer (CWE-588)
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
x_refsource_MISC
Hyperlink: http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
x_refsource_MISC
x_transferred
Hyperlink: http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:vulnerabilities@zephyrproject.org
Published At:05 Oct, 2021 | 21:15
Updated At:14 Oct, 2021 | 13:23

Zephyr JSON decoder incorrectly decodes array of array. Zephyr versions >= >1.14.0, >= >2.5.0 contain Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary2.05.0MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Type: Primary
Version: 2.0
Base score: 5.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CPE Matches
Zephyr Project
zephyrproject
>>zephyr>>1.14.0
cpe:2.3:o:zephyrproject:zephyr:1.14.0:-:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.0
cpe:2.3:o:zephyrproject:zephyr:1.14.0:rc1:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.0
cpe:2.3:o:zephyrproject:zephyr:1.14.0:rc2:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.0
cpe:2.3:o:zephyrproject:zephyr:1.14.0:rc3:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.1
cpe:2.3:o:zephyrproject:zephyr:1.14.1:-:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.1
cpe:2.3:o:zephyrproject:zephyr:1.14.1:rc1:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.1
cpe:2.3:o:zephyrproject:zephyr:1.14.1:rc2:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.1
cpe:2.3:o:zephyrproject:zephyr:1.14.1:rc3:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.2
cpe:2.3:o:zephyrproject:zephyr:1.14.2:*:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.3
cpe:2.3:o:zephyrproject:zephyr:1.14.3:rc1:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>1.14.3
cpe:2.3:o:zephyrproject:zephyr:1.14.3:rc2:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.5.0
cpe:2.3:o:zephyrproject:zephyr:2.5.0:-:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.5.0
cpe:2.3:o:zephyrproject:zephyr:2.5.0:rc1:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.5.0
cpe:2.3:o:zephyrproject:zephyr:2.5.0:rc2:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.5.0
cpe:2.3:o:zephyrproject:zephyr:2.5.0:rc3:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.5.0
cpe:2.3:o:zephyrproject:zephyr:2.5.0:rc4:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.5.1
cpe:2.3:o:zephyrproject:zephyr:2.5.1:rc1:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.6.0
cpe:2.3:o:zephyrproject:zephyr:2.6.0:-:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.6.0
cpe:2.3:o:zephyrproject:zephyr:2.6.0:rc1:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.6.0
cpe:2.3:o:zephyrproject:zephyr:2.6.0:rc2:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.6.0
cpe:2.3:o:zephyrproject:zephyr:2.6.0:rc3:*:*:*:*:*:*
Zephyr Project
zephyrproject
>>zephyr>>2.6.1
cpe:2.3:o:zephyrproject:zephyr:2.6.1:rc1:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
NVD-CWE-OtherPrimarynvd@nist.gov
CWE-588Secondaryvulnerabilities@zephyrproject.org
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-588
Type: Secondary
Source: vulnerabilities@zephyrproject.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4vulnerabilities@zephyrproject.org
Patch
Third Party Advisory
Hyperlink: http://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-289f-7mw3-2qf4
Source: vulnerabilities@zephyrproject.org
Resource:
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

14Records found
CVE-2023-0359
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-5.9||MEDIUM
EPSS-0.23% / 45.52%
||
7 Day CHG~0.00%
Published-10 Jul, 2023 | 04:21
Updated-12 Nov, 2024 | 14:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ipv6: Missing ipv6 nullptr-check in handle_ra_input

A missing nullptr-check in handle_ra_input can cause a nullptr-deref.

Action-Not Available
Vendor-Zephyr Project
Product-zephyrZephyr
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-476
NULL Pointer Dereference
CVE-2021-3454
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.61%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 22:50
Updated-17 Sep, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Truncated L2CAP K-frame causes assertion failure

Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-vrp3

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-130
Improper Handling of Length Parameter Inconsistency
CWE ID-CWE-617
Reachable Assertion
CVE-2023-7060
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-8.6||HIGH
EPSS-0.20% / 41.86%
||
7 Day CHG~0.00%
Published-15 Mar, 2024 | 18:12
Updated-27 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Security Control in Zephyr OS IP Packet Handling

Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address.

Action-Not Available
Vendor-Zephyr Project
Product-zephyrZephyr
CWE ID-CWE-20
Improper Input Validation
CVE-2023-5563
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-7.1||HIGH
EPSS-0.19% / 40.65%
||
7 Day CHG~0.00%
Published-12 Oct, 2023 | 23:11
Updated-17 Sep, 2024 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SJA1000 CAN controller driver backend automatically attempt to recover from a bus-off event when built with CONFIG_CAN_AUTO_BUS_OFF_RECOVERY=y. This results in calling k_sleep() in IRQ context, causing a fatal exception.

Action-Not Available
Vendor-Zephyr Project
Product-zephyrZephyr
CWE ID-CWE-703
Improper Check or Handling of Exceptional Conditions
CVE-2021-3432
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.16%
||
7 Day CHG~0.00%
Published-28 Jun, 2022 | 19:45
Updated-17 Sep, 2024 | 00:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BT: Invalid interval in CONNECT_IND leads to Division by Zero

Invalid interval in CONNECT_IND leads to Division by Zero. Zephyr versions >= v1.14.0 Divide By Zero (CWE-369). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7364-p4wc-8mj4

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-369
Divide By Zero
CVE-2021-3430
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 54.18%
||
7 Day CHG~0.00%
Published-28 Jun, 2022 | 19:45
Updated-16 Sep, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BT: Assertion failure on repeated LL_CONNECTION_PARAM_REQ

Assertion reachable with repeated LL_CONNECTION_PARAM_REQ. Zephyr versions >= v1.14 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-46h3-hjcq-2jjr

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-617
Reachable Assertion
CVE-2021-3455
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.43%
||
7 Day CHG~0.00%
Published-19 Oct, 2021 | 22:25
Updated-16 Sep, 2024 | 18:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Disconnecting L2CAP channel right after invalid ATT request leads freeze

Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-416
Use After Free
CVE-2021-3320
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-5.9||MEDIUM
EPSS-0.34% / 55.73%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 21:40
Updated-16 Sep, 2024 | 22:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Type Confusion in 802154 ACK Frames Handling

Type Confusion in 802154 ACK Frames Handling. Zephyr versions >= v2.4.0 contain NULL Pointer Dereference (CWE-476). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-27r3-rxch-2hm7

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-476
NULL Pointer Dereference
CWE ID-CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
CVE-2025-2962
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-8.2||HIGH
EPSS-0.06% / 17.67%
||
7 Day CHG~0.00%
Published-24 Jun, 2025 | 05:32
Updated-26 Jun, 2025 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Infinite loop in dns_copy_qname

A denial-of-service issue in the dns implemenation could cause an infinite loop.

Action-Not Available
Vendor-Zephyr Project
Product-Zephyr
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CVE-2024-8798
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-7.5||HIGH
EPSS-0.26% / 48.97%
||
7 Day CHG+0.06%
Published-15 Dec, 2024 | 23:23
Updated-03 Feb, 2025 | 20:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: classic: avdtp: missing buffer length check

No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.

Action-Not Available
Vendor-Zephyr Project
Product-zephyrZephyr
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-787
Out-of-bounds Write
CVE-2022-2741
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-8.2||HIGH
EPSS-0.09% / 25.63%
||
7 Day CHG~0.00%
Published-31 Oct, 2022 | 17:45
Updated-05 May, 2025 | 14:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
can: denial-of-service can be triggered by a crafted CAN frame

The denial-of-service can be triggered by transmitting a carefully crafted CAN frame on the same CAN network as the vulnerable node. The frame must have a CAN ID matching an installed filter in the vulnerable node (this can easily be guessed based on CAN traffic analyses). The frame must contain the opposite RTR bit as what the filter installed in the vulnerable node contains (if the filter matches RTR frames, the frame must be a data frame or vice versa).

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2020-10063
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-6.8||MEDIUM
EPSS-1.87% / 82.34%
||
7 Day CHG~0.00%
Published-05 Jun, 2020 | 17:37
Updated-17 Sep, 2024 | 04:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote Denial of Service in CoAP Option Parsing Due To Integer Overflow

A remote adversary with the ability to send arbitrary CoAP packets to be parsed by Zephyr is able to cause a denial of service. This issue affects: zephyrproject-rtos zephyr version 2.2.0 and later versions.

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2021-3431
Matching Score-8
Assigner-Zephyr Project
ShareView Details
Matching Score-8
Assigner-Zephyr Project
CVSS Score-4.3||MEDIUM
EPSS-0.39% / 59.16%
||
7 Day CHG~0.00%
Published-28 Jun, 2022 | 19:45
Updated-16 Sep, 2024 | 22:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
BT: Assertion failure on repeated LL_FEATURE_REQ

Assertion reachable with repeated LL_FEATURE_REQ. Zephyr versions >= v2.5.0 contain Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7548-5m6f-mqv9

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-617
Reachable Assertion
CVE-2021-3319
Matching Score-6
Assigner-Zephyr Project
ShareView Details
Matching Score-6
Assigner-Zephyr Project
CVSS Score-6.5||MEDIUM
EPSS-0.42% / 61.05%
||
7 Day CHG~0.00%
Published-05 Oct, 2021 | 20:50
Updated-16 Sep, 2024 | 22:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Zephyr versions >= > v2.4.0 contain NULL Pointer Dereference (CWE-476), Attempt to Access Child of a Non-structure Pointer (CWE-588). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-94jg-2p6q-5364

Action-Not Available
Vendor-Zephyr Project
Product-zephyrzephyr
CWE ID-CWE-588
Attempt to Access Child of a Non-structure Pointer
CWE ID-CWE-476
NULL Pointer Dereference
Details not found