Gerson Fernando Budke

**Name of the Vulnerable Software and Affected Versions** zephyrproject-rtos zephyr versions 2.1.0 through 2.2.0 and later versions. **Description** A malformed JSON payload received from an UpdateHub server may cause memory corruption in the Zephyr OS, potentially leading to a denial of service or code execution. **Recommendations** For zephyrproject-rtos zephyr versions 2.1.0 and later, update to a version that includes the fix for this issue. For zephyrproject-rtos zephyr versions 2.2.0 and later, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the reception of JSON payloads from UpdateHub servers until a patch is available.

**Name of the Vulnerable Software and Affected Versions** zephyrproject-rtos zephyr versions 2.1.0 through 2.2.0 and later versions. **Description** The issue occurs after JSON parsing is complete in updatehub probe, where accessing objects[1] from the output structure can lead to referencing uninitialized stack memory if the JSON contains less than two elements. This could result in a crash, denial of service, or possibly an information leak. The attack requires server compromise if the fix for the related issue is applied. **Recommendations** For zephyr versions 2.1.0 and later, apply the fix provided to prevent accessing uninitialized stack memory. For zephyr version 2.2.0 and later, ensure the fix is applied to mitigate the risk of a crash, denial of service, or information leak.