Skip to main content

Zephyr RTOS CVE-2026-10593

| EUVDEUVD-2026-39981 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-28 zephyr
6.5
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Adjacent Bluetooth LE vector limits range; PR:N because no victim-side authentication is needed; pure availability impact with no confidentiality or integrity consequence.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 28, 2026 - 05:15 vuln.today
Analysis Generated
Jun 28, 2026 - 05:15 vuln.today

DescriptionCVE.org

The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields (interval, framing, phy, sdu, rtn, latency, pd) through the stream-qos pointer with only a stream != NULL guard. stream-qos is NULL for any stream that has been codec-configured via bt_bap_stream_config() but not yet added to a unicast group (it is set only by unicast_group_add_stream()). A malicious or buggy remote ASCS server, to which the local device is connected as a BAP unicast client, can send a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is still in the Codec Configured state - a transition the dispatcher explicitly permits - during that window, causing a write through a NULL pointer and a crash (denial of service). The data written is itself remote-controlled. The defect shipped in v4.3.0 and v4.4.0 (and earlier). The fix re-points all BAP QoS storage to the always-valid embedded ep-qos struct, eliminating the NULL dereference.

AnalysisAI

NULL pointer dereference in the Zephyr Bluetooth LE Audio Basic Audio Profile unicast client crashes devices running Zephyr v4.3.0 and v4.4.0 (and earlier) when connected to a malicious or buggy remote ASCS server. The handler unicast_client_ep_qos_state() writes attacker-controlled QoS fields through stream->qos without verifying the pointer is non-NULL - a condition that legitimately exists during the window between bt_bap_stream_config() and unicast_group_add_stream(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Establish BT LE connection as rogue ASCS server
Delivery
Wait for victim to issue bt_bap_stream_config()
Exploit
Send crafted GATT ASE QoS Configured notification
Execution
Trigger write through NULL stream->qos pointer
Impact
Device crash (denial of service)

Vulnerability AssessmentAI

Exploitation The victim device must be running Zephyr v4.3.0, v4.4.0, or an earlier version with the BAP unicast client subsystem enabled (CONFIG_BT_BAP_UNICAST_CLIENT). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H places real-world priority in the moderate range. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth LE radio range of a Zephyr-based device (such as a hearing aid, audio accessory, or industrial sensor) establishes a connection posing as an ASCS server. After the victim device performs codec configuration on a BAP stream (bt_bap_stream_config()), but before it adds the stream to a unicast group (unicast_group_add_stream()), the attacker sends a crafted GATT notification announcing the ASE has entered the QoS Configured state; this triggers unicast_client_ep_qos_state() to write attacker-controlled QoS values through the NULL stream->qos pointer, causing an immediate crash and denial of service. …
Remediation Apply the upstream fix available in commit 52f25c903f2926cb1281b50fd79654668e2d483f (https://github.com/zephyrproject-rtos/zephyr/commit/52f25c903f2926cb1281b50fd79654668e2d483f), which re-points all BAP QoS storage to the always-valid embedded ep->qos struct and eliminates the NULL dereference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy