Zephyr v4.2.0 was released on schedule on July 18, 2025, with support until March 18, 2026.
- Release file: https://github.com/zephyrproject-rtos/zephyr/releases/tag/v4.2.0
- Release Notes: https://docs.zephyrproject.org/latest/releases/release-notes-4.2.html
- Release Blog: https://www.zephyrproject.org/zephyr-rtos-4-2-now-available-introduces-renesas-rx-support-usb-video-class-and-more/
- Migration Guide (from 4.1.0 to 4.2.0): https://docs.zephyrproject.org/latest/releases/migration-guide-4.2.html
- Supporting Video: https://www.youtube.com/watch?v=25xrHzeaw5w
The official release blog provides a detailed overview of the new features and highlights of v4.2.0. The release notes contain the details, and the video explains the major changes and demonstrates new features. The main updates are listed in the first and second-level headings, while the body text outlines the author’s personal focus areas.
Major Changes
- Added support for Renesas RX architecture
- New USB Video Class driver
- Introduced Power Harness testing in Twister, using hardware power monitors for automated data collection and analysis for current detection and result validation
- Full support for MQTT 5.0
- Added HFP/AG/HF to the Bluetooth protocol stack
- zbus API updated to 1.0.0, API status is stable
- Added 96 new mainboards and 22 expansion boards
Content Summary
Vulnerability Fixes
Detailed descriptions can be found at https://docs.zephyrproject.org/latest/security/vulnerabilities.html
- CVE 2025-27809: TLS client may inadvertently skip server authentication
- CVE 2025-27810: Potential authentication bypass during TLS handshake
- CVE 2025-2962: Infinite loop in
<span>dns_copy_qname</span> - CVE 2025-52496: Race condition in AESNI
- CVE 2025-52497: Insufficient heap read when parsing PEM encrypted data
- CVE 2025-49600: Unchecked return value in LMS verification can lead to signature bypass
- CVE 2025-49601:
<span>mbedtls_lms_import_public_key()</span>out-of-bounds read - CVE 2025-49087: Timing side-channel in block cipher decryption with PKCS#7 padding
- CVE 2025-48965: Null pointer dereference after using
<span>mbedtls_asn1_store_named_data()</span> - CVE 2025-47917: Misleading memory management in
<span>mbedtls_x509_string_to_names()</span> - CVE 2025-7403: Unblocked on September 5, 2025
API Changes
Removed
- Removed deprecated
<span>net_buf_put()</span>and<span>net_buf_get()</span>API functions - Removed deprecated
<span>include/zephyr/net/buf.h</span>header file - Removed
<span>--disable-unrecognized-section-test</span>Twister option. This option has become the default behavior - Removed deprecated kscan subsystem
- Removed
<span>meas,ms5837</span>and replaced with<span>meas,ms5837-30ba</span>and<span>meas,ms5837-02ba</span> - Removed
<span>get_ctrl</span>driver API from<span>video_driver_api</span> - Removed
<span>CONFIG_I3C_USE_GROUP_ADDR</span>and support for I3C device group addresses
Deprecated
<span>CONFIG_SCHED_DUMB</span>and<span>CONFIG_WAITQ_DUMB</span>are deprecated. Please use<span>CONFIG_SCHED_SIMPLE</span>and<span>CONFIG_WAITQ_SIMPLE</span>instead<span>CONFIG_LWM2M_ENGINE_MESSAGE_HEADER_SIZE</span>is deprecated. Header size should be included in message size, use<span>CONFIG_LWM2M_COAP_MAX_MSG_SIZE</span>- TLS credential type
<span>TLS_CREDENTIAL_SERVER_CERTIFICATE</span>is deprecated, replace with<span>TLS_CREDENTIAL_PUBLIC_CERTIFICATE</span> - Development boards
<span>arduino_uno_r4_minima</span>and<span>arduino_uno_r4_wifi</span>are deprecated, use<span>arduino_uno_r4</span>instead - Target
<span>esp32c6_devkitc</span>is deprecated, replaced with<span>esp32c6_devkitc/esp32c6/hpcore</span> - Target
<span>xiao_esp32c6</span>has been deprecated, replaced with<span>xiao_esp32c6/esp32c6/hpcore</span> <span>CONFIG_HAWKBIT_DDI_NO_SECURITY</span>is deprecated, hawkBit server no longer supports anonymous authentication<span>CONFIG_BT_CONN_TX_MAX</span>is deprecated. Consistent with<span>CONFIG_BT_BUF_ACL_TX_COUNT</span>option- Deprecated
<span>CONFIG_CRYPTO_TINYCRYPT_SHIM</span>has been removed - Deprecated
<span>CONFIG_BT_MESH_USES_TINYCRYPT</span>has been removed. Use<span>CONFIG_BT_MESH_USES_MBEDTLS_PSA</span>or<span>CONFIG_BT_MESH_USES_TFM_PSA</span>
Stable version API changes
<span>net_mgmt_request_handler_t</span>changed from<span>uint32_t</span>to<span>uint64_t</span>
New Additions
- Architecture
- Removed NIOS2 architecture
<span>ARCH_HAS_VECTOR_TABLE_RELOCATION</span>- Bluetooth: Involving audio, Host
- Build System
<span>SB_CONFIG_MCUBOOT_MODE_SINGLE_APP_RAM_LOAD</span>single application RAM load- Support for load image settings and selection
- Counter: New
<span>counter_reset()</span> - Debugging
- When
<span>CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_MIN</span>is selected,<span>CONFIG_DEBUG_COREDUMP_THREAD_STACK_TOP</span>is enabled by default for ARM Cortex M <span>CONFIG_DEBUG_COREDUMP_BACKEND_IN_MEMORY</span><span>CONFIG_DEBUG_COREDUMP_BACKEND_IN_MEMORY_SIZE</span>- Coredump
- Display
- Standardized clear display API:
<span>display_clear()</span> - CFB can draw circles using
<span>cfb_draw_circle()</span> - I2C
<span>i2c_configure_dt()</span><span>I2C_DEVICE_DT_DEINIT_DEFINE</span><span>I2C_DEVICE_DT_INST_DEINIT_DEFINE</span>- I3C
<span>CONFIG_I3C_MODE</span><span>CONFIG_I3C_CONTROLLER_ROLE_ONLY</span><span>CONFIG_I3C_TARGET_ROLE_ONLY</span><span>CONFIG_I3C_DUAL_ROLE</span>- Kernel
<span>K_TIMEOUT_ABS_SEC</span><span>timespec_add()</span><span>timespec_compare()</span><span>timespec_equal()</span><span>timespec_is_valid()</span><span>timespec_negate()</span><span>timespec_normalize()</span><span>timespec_from_timeout()</span><span>timespec_to_timeout()</span><span>k_heap_array_get()</span>- LVGL
- Updated to v9.3
- Supports simultaneous display on multiple screens, supports binding input devices and displays
- Added L8/Y8 pixel format support for displays such as SSD1327, SSD1320, SSD1322, and ST75256
<span>CONFIG_LV_Z_COLOR_MONO_HW_INVERSION</span>- LoRaWAN:
<span>lorawan_request_link_check()</span> - Management
<span>CONFIG_MCUBOOT_BOOTLOADER_MODE_FIRMWARE_UPDATER</span><span>CONFIG_MCUMGR_GRP_OS_RESET_BOOT_MODE</span>- Networking: Involving Coap, DHCPv4, DNS, HTTP, IPv4, LwM2M, MQTT, OpenThread, SNTP, Sockets, WiFi, zperf
- PCIe:
<span>CONFIG_NVME_PRP_PAGE_SIZE</span> - Power Management
- Sensors
<span>sensor_value_to_deci()</span><span>sensor_value_to_centi()</span>- Stepper Motor:
<span>stepper_stop()</span> - Storage:
<span>flash_area_copy()</span> - Sys
<span>util_eq()</span><span>util_memeq()</span><span>sys_clock_gettime()</span><span>sys_clock_settime()</span><span>sys_clock_nanosleep()</span>- USB:
<span>uvc_set_video_dev()</span> - UpdateHub:
<span>updatehub_report_error()</span> - Video: Changes to API and structures, added software video generator
- ZBus
- API released version 1.0.0, now stable
- Runtime observers can allocate memory statically/dynamically
- Added some configuration options
Mainboards & Expansion Boards
Added 96 new mainboards and 22 expansion boards, see release notes for details. Domestic chips include:
-
Espressif ESP32x:
- Adafruit x6
- adafruit_feather_esp32s2
- adafruit_feather_esp32s2_tft
- adafruit_feather_esp32s2_tft_reverse
- adafruit_feather_esp32s3
- adafruit_feather_esp32s3_tft
- adafruit_feather_esp32s3_tft_reverse
- Espressif x1 esp32_devkitc
- Lilygo x4
- tdongle_s3
- ttgo_tbeam
- ttgo_toiplus
- twatch_s3
- M5Stack x1 m5stack_fire
- WeeSnow x1 esp32s3_matrix
-
Boluo BL60X
- Ansynk x1 ai_wb2_12f
- Boluo x1 bl604e_iot_dvk
- Four-Brother Smart x1 dt_bl10_devkit
-
Qinheng CH32V
- WeAct Studio x1 bluepillplus_ch32v203
- Qinheng x4
- ch32v003f4p6_dev_board
- ch32v006evt
- ch32v303vct6_evt
- linkw
Drivers
Involves multiple drivers, see release notes for details.
Instances
Added 34 new instances, see release notes for details.
Other Significant Changes
- Added support for the PXN (Privileged Execute Never) attribute of Armv8.1-M MPU
- Mbed TLS updated from 3.6.2 to 3.6.4
- TF-M updated from 2.1.1 to 2.1.2
- Updated all development boards with external I2C connectors (Qwiic, Stemma, Grove, etc.) to use the
<span>zephyr_i2c</span>label