External risk intelligence

Zephyr HTTP Server WebSocket Upgrade Memory Corruption

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-5067

The vulnerability exists in an HTTP server WebSocket upgrade path within the Zephyr RTOS. Because web servers and WebSocket endpoints are frequently exposed to the internet to provide remote connectivity or web-based management interfaces in embedded deployments, this surface is commonly reachable from the internet.

Out-of-bounds Write

Zephyrproject Zephyr

3.7.0 to 4.3.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A remote attacker can exploit a memory corruption vulnerability in the Zephyr RTOS's HTTP server when handling WebSocket connections. This could lead to system crashes or potentially allow an attacker to execute their own code, impacting the availability and integrity of affected devices.

  • Flaw in handling web socket connections.
  • Critical flaw allows remote code execution.
  • Confirm relevance and address exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to a Zephyr RTOS device with the WebSocket feature enabled. This request, containing a malicious `Sec-WebSocket-Key` header, targets the device's HTTP server. The server's flawed handling of this header can lead to memory corruption, potentially allowing the attacker to crash the system or execute arbitrary code.

  • Network access is required.
  • Triggered by a crafted WebSocket upgrade header.
  • Leads to denial of service or code execution.

Live Threat

Current exploitation, exposure, and threat context

A remote, unauthenticated attacker could trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path. When the server is configured to support WebSockets, a specially crafted header could cause the system to crash or potentially allow for code execution.

  • System memory could be corrupted.
  • A crafted header could trigger the flaw.
  • May lead to denial of service or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Zephyr RTOS HTTP server's WebSocket upgrade path is vulnerable to remote, unauthenticated memory corruption, potentially leading to denial-of-service or code execution. Infrastructure and platform teams managing Zephyr RTOS deployments should prioritize identifying affected systems, confirming exposure, and assessing business criticality to inform remediation plans.

  • Platform and infrastructure teams own remediation.
  • Verify WebSocket server reachability and criticality.
  • Plan risk-based remediation during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Zephyr RTOS and how is it used?

Zephyr is a real-time operating system (RTOS) designed for resource-constrained devices, such as those found in the Internet of Things (IoT). It provides the core software foundation that manages hardware and networking for embedded systems, like smart sensors, industrial controllers, and connected consumer electronics, allowing them to communicate and perform specialized tasks efficiently.

What does CVE-2026-5067 mean for system memory?

This vulnerability involves memory corruption, specifically identified as Improper Null Termination (CWE-170) and Out-of-bounds Write (CWE-787). In plain terms, the software fails to correctly mark the end of a data string. When processing specific network requests, this mistake causes the system to read or overwrite nearby memory locations it should not access, which can crash the device or allow unauthorized operations.

How is this Zephyr vulnerability triggered?

An attacker triggers this by sending a specially crafted Sec-WebSocket-Key header during a WebSocket upgrade request. The vulnerability only exists when the CONFIG_HTTP_SERVER_WEBSOCKET feature is explicitly enabled in the device's configuration. Systems that do not use the built-in HTTP server or have WebSocket support disabled are not susceptible to this specific attack path.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates that devices using the Zephyr HTTP server are often reachable from the internet to provide remote management or connectivity. If your device is configured to accept web traffic or WebSocket connections and is exposed to the internet, it is considered a likely target for this vulnerability, as no specialized internal network access is required to initiate the attack.

What should I do if I run Zephyr-based devices?

First, audit your deployments to identify which systems have the WebSocket server component enabled. Determine if these devices are internet-facing, as these represent the highest priority for intervention. Work with your platform team to review the affected version range (3.7.0 through 4.3.0) and schedule a firmware update or configuration change to disable the vulnerable WebSocket functionality during your next maintenance window.

References