Skip to main content

Zephyr RTOS CVE-2026-10641

HIGH
Out-of-bounds Write (CWE-787)
2026-06-17 zephyr
7.1
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Bluetooth-range adjacent vector (AV:A), no auth or user interaction on HFP SLC (PR:N/UI:N), attacker-positioned small write yields limited integrity (I:L) and reliable host DoS (A:H), no direct disclosure (C:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 14:37 vuln.today
Analysis Generated
Jun 17, 2026 - 14:37 vuln.today

DescriptionCVE.org

Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.

AnalysisAI

Out-of-bounds write in Zephyr RTOS Bluetooth Classic Hands-Free Profile (HFP) parser allows an adjacent Bluetooth peer acting as an Audio Gateway to corrupt heap/static memory on devices with CONFIG_BT_HFP_HF enabled. A single malformed +CIND response sent during Service Level Connection setup can crash the Bluetooth host or corrupt adjacent connection state with no user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Approach target within Bluetooth range
Delivery
Present rogue Audio Gateway to HF device
Exploit
Allow SLC setup and AT+CIND=? query
Install
Reply with oversized +CIND indicator list
C2
Trigger OOB write in cind_handle_values()
Execute
Corrupt adjacent struct fields
Impact
Crash Bluetooth host (DoS)

Vulnerability AssessmentAI

Exploitation Target must be a Zephyr build with CONFIG_BT_HFP_HF enabled and acting in the HFP Hands-Free role, performing Service Level Connection setup with the attacker's Audio Gateway over Bluetooth Classic (BR/EDR). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H (7.1 High) is consistent with the description: exploitation is adjacent (Bluetooth range), unauthenticated, requires no user interaction, and is primarily an availability (DoS of the Bluetooth host) and limited integrity issue, with no direct confidentiality impact because the write is of an attacker-positioned but small index value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth Classic range stands up a rogue or compromised Audio Gateway (e.g., spoofed car kit or headset peer) and waits for, or coerces, a Zephyr-based device with HFP HF enabled to initiate the standard Service Level Connection. When the HF sends AT+CIND=?, the malicious AG responds with a crafted +CIND: list containing many more than 20 recognized indicator entries, causing cind_handle_values() to write past ind_table[] into adjacent struct fields and crash or corrupt the Bluetooth host. …
Remediation Upstream fix available (commit cf7693a8261ae363c9cf46cfd51005486637173e on zephyrproject-rtos/zephyr) which adds an `index >= ARRAY_SIZE(hf->ind_table)` guard in cind_handle_values(); apply the patch by upgrading to a Zephyr release that includes this commit (post-v4.4.0) or by backporting it into your fork or LTS branch - released patched version not independently confirmed beyond the commit and GHSA-wx5j-q6f2-59p3 advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all products and infrastructure using Zephyr RTOS with Bluetooth Hands-Free Profile (CONFIG_BT_HFP_HF) enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10641 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy