{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-5067","assignerOrgId":"e2e69745-5e70-4e92-8431-deb5529a81ad","state":"PUBLISHED","assignerShortName":"zephyr","dateReserved":"2026-03-27T22:30:27.757Z","datePublished":"2026-06-09T06:01:02.559Z","dateUpdated":"2026-06-09T13:12:08.853Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","packageName":"Zephyr","product":"Zephyr","repo":"https://github.com/zephyrproject-rtos/zephyr","vendor":"zephyrproject-rtos","versions":[{"lessThanOrEqual":"4.3.0","status":"affected","version":"3.7.0","versionType":"git"}]}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key"}],"value":"A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-170","description":"Improper Null Termination","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-787","description":"Out-of-bounds Write","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"e2e69745-5e70-4e92-8431-deb5529a81ad","shortName":"zephyr","dateUpdated":"2026-06-09T06:01:02.559Z"},"references":[{"url":"https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj"}],"source":{"discovery":"UNKNOWN"},"title":"Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key","x_generator":{"engine":"swg-tools/create-cve-info"}},"adp":[{"references":[{"url":"https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-09T13:11:48.752906Z","id":"CVE-2026-5067","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-09T13:12:08.853Z"}}]}}