CVE-2026-5067 – Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key

CVE ID :CVE-2026-5067

Published : June 9, 2026, 6:16 a.m. | 18 minutes ago

Description :A remote, unauthenticated attacker can trigger memory corruption in Zephyr’s HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9698 – DBI versions before 1.648 for Perl saved errors in a limited-sized buffer

CVE-2026-5068 – bt: l2cap le coc: remote oob write via seg counter stored in net_buf user_data

CVE-2026-41986 – ACME File System Logic Bypass Denial of Service

CVE-2026-41985 – Package Management Module Use-After-Free Vulnerability