CVE-2025-1673

High

Published: 25 February 2025

Published

25 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Score 0.0040 60.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.

Security Summary

CVE-2025-1673 is an out-of-bounds read vulnerability (CWE-125) in the Zephyr RTOS. A malicious or malformed DNS packet without a payload can trigger the issue, resulting in a crash that causes denial of service or an incorrect computation. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) and was published on 2025-02-25T07:15:18.837.

Attackers can exploit this remotely over the network with low attack complexity, requiring no privileges or user interaction. Any unauthenticated remote actor able to send DNS packets to a vulnerable Zephyr instance can trigger the out-of-bounds read, achieving high-impact denial of service via crashes or low-impact integrity violations through incorrect computations, while confidentiality remains unaffected.

The Zephyr Project security advisory provides details on mitigation: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-jjhx-rrh4-j8mx.

Details

CWE(s): CWE-125

Affected Products

zephyrproject

zephyr

≤ 4.0

References

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-jjhx-rrh4-j8mx
Mitigation, Vendor Advisory · vulnerabilities@zephyrproject.org