A critical memory corruption vulnerability in the Zephyr HTTP server, reachable by unauthenticated remote attackers, poses a severe risk of system crashes or arbitrary code execution.

The vulnerability occurs in the WebSocket upgrade path due to improper handling of the Sec-WebSocket-Key header. A lack of NUL termination during buffer copies leads to an out-of-bounds read and write on the stack when processed by strlen().

The CVSS score of 9.8 reflects the high potential for remote code execution and denial of service. This vulnerability could be used to disrupt critical embedded systems or services, potentially leading to total system instability or unauthorized control by an external attacker, which is particularly dangerous for IoT and industrial control devices.

Immediate Action: Update the Zephyr software environment to the version that includes the patched HTTP server header parsing logic.

Proactive Monitoring: Monitor device logs for unexpected crashes or service restarts that may indicate exploitation attempts.

Compensating Controls: If patching is delayed, disable the WebSocket functionality (CONFIG_HTTP_SERVER_WEBSOCKET) if it is not required for production operations.

Public Exploit Available: No

Given the potential for remote code execution in embedded environments, this update is critical. Organizations using Zephyr should audit their configurations and apply the necessary patches immediately to protect against remote exploitation.