A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
The HTTP/1 header parser copies the Sec-WebSocket-Key header to a fixed-size buffer using limited copying, which does not guarantee null-termination when the input length reaches the buffer size. During WebSocket upgrade handling, the buffer is copied to a local stack buffer and passed to the strlen() function; the absence of a NUL character within the buffer bounds causes an out-of-bounds read. Subsequent concatenation with the WebSocket magic string can cause a write beyond the stack buffer bounds (out-of-bounds write, CWE-787), which is a consequence of improper NUL termination (CWE-170). The vulnerable path is only reachable when the CONFIG_HTTP_SERVER_WEBSOCKET configuration option is enabled.
An attacker can cause a device to crash (DoS) through stack memory corruption, and under favorable conditions potentially achieve remote arbitrary code execution (RCE) without requiring authentication.
Apply patches available from the vendor according to references (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj). Until an update is applied, it is recommended to disable the CONFIG_HTTP_SERVER_WEBSOCKET option in the system configuration if the WebSocket feature is not essential.
Zephyr RTOS operating system with CONFIG_HTTP_SERVER_WEBSOCKET option enabled; specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H