Zephyr WebSocket Upgrade Memory Corruption Vulnerability Allowing Denial-of-Service and Potential Code Execution

A remote, unauthenticated vulnerability in Zephyr's HTTP server WebSocket upgrade process can be exploited by sending a crafted 'Sec-WebSocket-Key' header. The HTTP/1 header parser copies this header into a fixed-size buffer using a bounded copy that lacks guaranteed NUL termination when the input length reaches the buffer size. This flaw allows the 'strlen()' function to read beyond the stack buffer, potentially leading to out-of-bounds memory access. The vulnerability causes a stack memory corruption, resulting in a crash (denial-of-service) and could allow for code execution. This issue arises when 'CONFIG_HTTP_SERVER_WEBSOCKET' is enabled, affecting Zephyr versions 3.7.0 through 4.3.0.

Impact

Exploitation of this vulnerability causes a denial-of-service by crashing or resetting the server process. However, the memory corruption could also be exploited to execute arbitrary code, depending on the target system, toolchain, and memory layout.

Reproduction

To reproduce this vulnerability, build and run a Zephyr sample HTTP server with WebSocket support enabled. The WebSocket endpoint '/ws_echo' should be registered. Once the server is running, send repeated upgrade requests with a 32-byte 'Sec-WebSocket-Key' that does not guarantee NUL termination. The server is expected to become unstable, crash, or reset due to the out-of-bounds read and write during the WebSocket upgrade handling.