CVE-2026-8023

Name of the Vulnerable Software and Affected Versions Zephyr versions 4.0.0 through 4.4.0

Description The HTTP server (subsys/net/lib/http) contains a path traversal flaw when using the static-filesystem resource type (HTTP RESOURCE TYPE STATIC FS) with CONFIG FILE SYSTEM enabled. Both HTTP/1 and HTTP/2 front-ends fail to resolve ./.. segments in the request path, which is stored in the client-url buffer variable. The static-FS handler constructs the on-disk filename by concatenating the configured root directory with this raw URL and opens it using the fs open() function. An unauthenticated remote client can use a specially crafted request containing .. segments to escape the configured web root and read arbitrary files on the mounted volume.

Recommendations Update Zephyr to a version later than 4.4.0. As a temporary mitigation, avoid registering static-filesystem resources or disable CONFIG FILE SYSTEM if not required.