Executive Summary

CVE-2026-5067 is a critical vulnerability in the Zephyr RTOS HTTP server's WebSocket upgrade path. It occurs when the server processes a crafted Sec-WebSocket-Key header that is not null-terminated. The HTTP header parser copies this header into a fixed-size buffer without guaranteeing null termination. Later, the buffer is copied to a local stack buffer and passed to the strlen() function, which reads beyond the buffer if no null terminator is found. This causes out-of-bounds read and write on the stack memory, leading to memory corruption.

This vulnerability can be triggered remotely by an unauthenticated attacker sending a specially crafted request, and it requires the HTTP server to have WebSocket support enabled.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to a denial-of-service (DoS) condition by crashing the server due to memory corruption. Additionally, it has the potential to allow an attacker to execute arbitrary code remotely, compromising the confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests to the Zephyr RTOS HTTP server that include a crafted Sec-WebSocket-Key header of exactly 32 bytes without a null terminator.

A practical detection method is to capture and analyze network traffic targeting the HTTP server, specifically looking for WebSocket upgrade requests with suspicious Sec-WebSocket-Key headers.

For example, using tcpdump or Wireshark to filter HTTP upgrade requests and inspect the Sec-WebSocket-Key header length and termination could help identify exploit attempts.

A sample tcpdump command to capture relevant traffic might be:

• tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

Then, manually inspect captured packets for WebSocket upgrade requests with Sec-WebSocket-Key headers that are exactly 32 bytes and potentially non-null-terminated.

Alternatively, custom scripts or intrusion detection system (IDS) rules can be created to detect such malformed headers.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include disabling WebSocket support in the Zephyr HTTP server by setting CONFIG_HTTP_SERVER_WEBSOCKET to 'n' or equivalent to prevent the vulnerable code path from being reachable.

Additionally, restrict or monitor incoming HTTP traffic to the affected server to detect and block suspicious WebSocket upgrade requests with crafted Sec-WebSocket-Key headers.

Since no patches are currently available for affected versions (3.7.0 to 4.3.0), avoiding exposure of the HTTP server to untrusted networks or applying network-level protections such as firewalls or web application firewalls (WAF) can reduce risk.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Zephyr's HTTP server WebSocket upgrade path can lead to critical impacts on confidentiality, integrity, and availability due to potential code execution or denial-of-service conditions. Such impacts can affect compliance with standards like GDPR and HIPAA, which require protection of data confidentiality and system integrity.

Specifically, a successful exploit could compromise sensitive data or disrupt system availability, both of which are key concerns under these regulations. However, the provided information does not explicitly detail compliance implications or mitigation steps related to these standards.

Useful 0 Not Useful 0