CVE-2025-1674

High

Published: 25 February 2025

Published

25 February 2025

Modified

28 February 2025

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS Score 0.0029 52.7th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.

Security Summary

CVE-2025-1674 is a vulnerability in the Zephyr RTOS stemming from a lack of input validation, which enables out-of-bounds reads triggered by malicious or malformed packets. Classified under CWE-125 (Out-of-bounds Read), it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and was published on 2025-02-25T08:15:29.887.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in limited confidentiality impact, such as partial information disclosure, alongside high availability impact, potentially causing denial-of-service conditions through system crashes induced by the out-of-bounds reads.

The Zephyr project has published a security advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-x975-8pgf-qh66, which security practitioners should review for details on mitigation strategies and available patches.

Details

CWE(s): CWE-125

Affected Products

zephyrproject

zephyr

≤ 4.0

References

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-x975-8pgf-qh66
Mitigation, Vendor Advisory · vulnerabilities@zephyrproject.org