Security News > 2021 > June > Zephyr RTOS fixes Bluetooth bugs that may lead to code execution
The Zephyr real-time operating system for embedded devices received an update earlier this month that fixes multiple vulnerabilities that can cause a denial-of-service condition and potentially lead to remote code execution.
Matias Karhumaa, a senior software engineer at Synopsys, an American electronic design automation company, found eight vulnerabilities in Zephyr after testing the lowest layers of the operating system's Bluetooth LE stack.
It causes a DoS condition on the system but also has the potential for remote code execution by exploiting a use-after-free issue in Zephyr's L2CAP implementation.
The engineer found the first Bluetooth-related vulnerabilities in Zephyr RTOS in early February and reported them privately to the developer.
A new Zephyr version, 2.6.0 has been released at the beginning of the month to include fixes for all the security vulnerabilities in the table above.
"Product manufacturers using the Zephyr OS in their product are encouraged to update their Zephyr version to include latest security fixes. Zephyr's security policy guarantees that security patches are backported to the two most recent releases and to active LTS release," Karhumaa writes.