eastbaycyber

CVE-2026-5067: Critical Memory Corruption in Zephyr RTOS

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-07-11
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-5067
CVSS score 9.8 (Critical)
Attack vector Remote
Auth required None
Patch status Official advisory exists; exact fixed version not verifiable from available source text in this session

TL;DR - Zephyr RTOS has a critical WebSocket upgrade memory corruption bug in its HTTP server. - Affected deployments are those with CONFIG_HTTP_SERVER_WEBSOCKET enabled and network exposure. - Treat as urgent even though public exploitation and a public PoC are not currently confirmed.

AnalystImpact · assess the risk

What Happened and Why Defenders Should Care

CVE-2026-5067 is a critical memory corruption vulnerability in the Zephyr Project’s Zephyr RTOS HTTP server, specifically in the WebSocket upgrade path. According to the NVD description, a remote, unauthenticated attacker can trigger the bug by sending a crafted Sec-WebSocket-Key header. The flaw is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

The security significance is straightforward: this is not a logic bug with narrow impact, but a parser-path memory safety issue in a network-facing service. The vulnerable path performs a bounded copy into a fixed-size buffer without guaranteeing NUL termination, and later code uses strlen() and concatenation on that data. That creates out-of-bounds read and write conditions on stack memory. At minimum, defenders should expect denial of service. Because the corruption occurs on the stack, potential code execution cannot be ruled out.

For embedded and IoT teams, this matters because Zephyr is frequently deployed in devices that expose management, telemetry, or application interfaces over HTTP. If WebSocket support is enabled and reachable from untrusted networks, the attack surface is external and unauthenticated. That combination makes this vulnerability operationally important even without confirmed exploitation in the wild.

A second reason to prioritize this CVE is that parser bugs tend to be reproducible once researchers and attackers focus on the vulnerable code path. Public exploitation status is currently unknown from the sources available here, and the CVE is not in CISA KEV at the time of writing. Still, a critical remote memory corruption issue in an HTTP/WebSocket handling path should be treated as high-risk by default.

Affected Products, Configuration, and Version Status

The confirmed affected product is Zephyr RTOS, specifically the Zephyr HTTP server’s WebSocket upgrade handling. The vulnerable path is reachable when the following configuration is enabled:

  • CONFIG_HTTP_SERVER_WEBSOCKET

That means not every Zephyr deployment is necessarily exposed. Systems that do not use the HTTP server, or that use it without WebSocket support, may not be reachable through this code path. From a defender perspective, configuration scoping matters because many embedded fleets are built from highly customized firmware images and feature flags.

There is an important documentation limitation here: based on the research note provided, the exact affected version range and the exact fixed version number were not reliably retrievable from the primary-source text available in this session. The upstream GitHub Security Advisory exists at GHSA-wgr4-9pwq-94vj, and Zephyr’s official vulnerabilities page exists, but the source text available here did not expose the precise release boundaries. Because the user asked for specific affected ranges and the fixed version number, the only accurate statement is:

  • Affected version range: unknown from currently available source text in this session
  • Fixed version: unknown from currently available source text in this session

In the absence of authoritative version details, defenders should assume that any Zephyr build incorporating the vulnerable HTTP server WebSocket code path may be affected until validated against the upstream advisory and release notes. For practical triage, that means identifying all firmware builds using Zephyr HTTP server plus WebSocket support, then mapping those builds to the exact upstream Zephyr commit, tag, or vendor fork in use.

Technical Notes

Check Zephyr build configuration artifacts for WebSocket support:

grep -R "CONFIG_HTTP_SERVER_WEBSOCKET=y" build/ zephyr/ .config 2>/dev/null

If you maintain source-based firmware trees, search for HTTP server and WebSocket enablement together:

grep -R "CONFIG_HTTP_SERVER_WEBSOCKET" .
grep -R "http_server" .

A minimal Kconfig-style indicator of exposure looks like this:

CONFIG_HTTP_SERVER=y
CONFIG_HTTP_SERVER_WEBSOCKET=y

Root Cause and Exploitability

The core bug is an unsafe C string-handling sequence. A user-controlled Sec-WebSocket-Key header is copied into a fixed-size buffer using a bounded copy operation that may fail to append a terminating \0 when the source string exactly fills the destination. Later in the WebSocket upgrade flow, that buffer is copied again to a local stack buffer and passed to strlen(). If there is no NUL byte in-bounds, strlen() continues reading beyond the buffer.

The next step is what elevates this from a simple parsing defect to a serious memory corruption issue. The application then concatenates the WebSocket magic string to compute the expected handshake material. If the string length calculation already ran past the valid boundary, subsequent writes can also occur out of bounds. Per the NVD description, this results in out-of-bounds read and write on stack memory.

For exploitation analysis, denial of service is the most defensible outcome to assume immediately. Stack corruption can crash the HTTP handling thread or the whole device, depending on build and runtime architecture. Potential code execution is plausible but not guaranteed. Real exploitability will depend on architecture, compiler behavior, stack canaries, memory layout, optimization level, and whether downstream vendors applied additional hardening.

At the time of writing, the research note confirms no public proof of concept was identified from the retrieved sources, and no confirmed in-the-wild exploitation was identified. The CVE is also not currently listed in CISA KEV. That should not be misread as low risk. Instead, it means defenders must prioritize based on exposure and impact, not on public exploitation headlines.

Technical Notes

The vulnerable header is explicitly named in the advisory context:

Sec-WebSocket-Key: <attacker-controlled value>

A high-level pseudocode representation of the flaw pattern is:

char key_buf[FIXED];
strncpy(key_buf, user_header, sizeof(key_buf));   // may omit NUL

char stack_buf[FIXED];
memcpy(stack_buf, key_buf, sizeof(stack_buf));

size_t len = strlen(stack_buf);                   // OOB read if no NUL
strcat(stack_buf, WS_MAGIC);                      // possible OOB write

Exploitation Status and Defender Assumptions

Based on the research note, there is no confirmed public PoC and no confirmed in-the-wild exploitation for CVE-2026-5067 from the sources retrieved in this session. The CVE is also not currently present in the CISA Known Exploited Vulnerabilities catalog. Those are useful facts, but they are not a reason to de-prioritize response.

In the absence of confirmed exploitation data, defenders should assume that exploit development is feasible enough to matter. The vulnerability is remotely reachable, unauthenticated, and located in an HTTP parsing and upgrade flow that can often be exercised repeatedly. That combination is routinely attractive to attackers and researchers. For exposed devices, the prudent posture is to prioritize inventory, exposure reduction, and patch validation now rather than wait for broader public reporting.

ResponderRunbook · act now

Exposure Assessment and Detection Guidance

The first detection question is not “Was I exploited?” but “Do I expose the vulnerable path?” Start by inventorying devices that run Zephyr-based firmware with HTTP services reachable from untrusted clients. Then determine whether WebSocket upgrades are supported and enabled. In many environments, this can be faster through build and SBOM analysis than through live network probing alone.

The second detection question is whether you have evidence of malformed upgrade attempts. Because the trigger uses a crafted Sec-WebSocket-Key header, HTTP request logging at a reverse proxy, gateway, or debug service layer can be useful even if the Zephyr device itself has limited logging. The most useful signals are WebSocket upgrade requests followed closely by service instability, resets, watchdog events, or crashes.

If your environment lacks detailed HTTP logs on-device, compensate at the network edge. Many embedded fleets sit behind load balancers, API gateways, or test harnesses that record raw headers. Even if you cannot confirm exploitation, the presence of suspicious WebSocket upgrade traffic to devices that should never receive such traffic is a meaningful indicator of targeting.

You should also review crash telemetry and watchdog reboot patterns on exposed devices. A sudden rise in reboots, fault handlers, or communication dropouts on devices with WebSocket enabled may justify immediate containment, especially if the timing aligns with inbound upgrade requests.

Technical Notes

A concrete pattern to hunt for in HTTP logs is repeated WebSocket upgrade attempts with unusually long or malformed Sec-WebSocket-Key values:

Sec-WebSocket-Key:\s.{20,}

A simple grep example for proxy or test harness logs:

grep -E "Upgrade: websocket|Sec-WebSocket-Key:" /var/log/nginx/access.log /var/log/http*.log

Example Sigma-style detection logic for edge logs:

title: Suspicious WebSocket Upgrade Requests to Zephyr Devices
logsource:
  category: webserver
detection:
  selection1:
    cs-header|contains: "Upgrade: websocket"
  selection2:
    cs-header|contains: "Sec-WebSocket-Key:"
  condition: selection1 and selection2
level: medium

A Suricata-style HTTP signature concept for visibility:

alert http any any -> $HOME_NET any (msg:"WebSocket upgrade attempt with Sec-WebSocket-Key"; http.header; content:"Upgrade|3A| websocket"; nocase; http.header; content:"Sec-WebSocket-Key|3A|"; nocase; sid:5067001; rev:1;)

Mitigation, Patching, and Operational Workarounds

The preferred mitigation is to apply the upstream fix referenced by the official Zephyr security advisory GHSA-wgr4-9pwq-94vj. However, the exact fixed version number could not be verified from the source text available in this session. Because of that, defenders should not guess at a safe release. Instead, they should validate the remediation target directly against the upstream advisory and release notes before pushing firmware updates.

If patching is not immediately possible, the most effective workaround is to disable the vulnerable feature path by removing WebSocket support. This directly reduces exposure because the vulnerability is specifically tied to the HTTP server WebSocket upgrade handling. Where feature removal is not possible, the next best control is network restriction: permit access only from trusted management networks, test networks, or authenticated application gateways.

For internet-exposed or partner-exposed devices, consider compensating controls at the edge. Block or rate-limit WebSocket upgrade requests if the deployment does not require them. If WebSockets are required, route them through a proxy that enforces strict header normalization and request filtering. That will not fix the device code, but it can reduce reachability of malformed requests while firmware remediation is in progress.

Operationally, firmware teams should also review downstream forks. Many organizations ship Zephyr as a vendored component, and patch lag can be significant. It is not enough to know that upstream has an advisory. You need to confirm whether your product branch includes the vulnerable code and whether your build has incorporated the relevant fix.

Technical Notes

To disable WebSocket support in Zephyr configuration, remove or override the setting:

# prj.conf
CONFIG_HTTP_SERVER_WEBSOCKET=n

Example rebuild workflow:

west build -b <board> -p always
west flash

If your environment manages Zephyr as a source dependency, update from upstream only after verifying the advisory’s fixed commit or release:

west update
west build -b <board>

If you maintain a Git checkout of Zephyr directly:

git fetch origin --tags
git log --grep="CVE-2026-5067" --oneline
git log --grep="GHSA-wgr4-9pwq-94vj" --oneline

For edge mitigation on a reverse proxy, block upgrade requests where WebSockets are not needed:

if ($http_upgrade ~* "websocket") {
    return 403;
}

References

Source URL
NVD CVE record NVD CVE record
GitHub Security Advisory GitHub Security Advisory
Zephyr official vulnerabilities page Zephyr official vulnerabilities page
Zephyr Project Zephyr Project

For further reading on data breach responsibilities, see our article on Controller vs. Processor: Who Reports a Data Breach? and if you’re interested in securing your network, check out our comparison of WireGuard vs. OpenVPN: Which Should You Choose?.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-11

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.