Skip to main content

Zephyr RTOS CVE-2026-10651

MEDIUM
Improper Input Validation (CWE-20)
2026-06-22 zephyr
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
HIGH
qualitative
NVD
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.1 HIGH

Adjacent Bluetooth range (AV:A), single malformed packet (AC:L), no auth needed to query SDP (PR:N), kernel panic (A:H), minor info leak in assert-disabled builds (C:L).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Severity Changed
Jul 06, 2026 - 19:52 NVD
HIGH MEDIUM
CVSS changed
Jul 06, 2026 - 19:52 NVD
7.1 (HIGH) 6.5 (MEDIUM)
Analysis Generated
Jun 23, 2026 - 00:42 vuln.today

DescriptionNVD

A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.

AnalysisAI

Denial of service in Zephyr RTOS Bluetooth Classic SDP parser allows adjacent Bluetooth attackers to crash devices via a malformed 3-byte SDP attribute that triggers a reachable kernel assertion. The flaw resides in bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c, where the parser pulls a value-type byte without first verifying buffer length, causing a kernel panic in assert-enabled builds and an out-of-bounds read with undefined behavior when assertions are disabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate Bluetooth Classic device in range
Delivery
Establish L2CAP connection to SDP PSM
Exploit
Send malformed 3-byte SDP attribute (09 00 09)
Execution
Trigger net_buf_simple_pull length assertion
Impact
Kernel panic and device reboot (DoS)

Vulnerability AssessmentAI

Exploitation Requires that the target device runs Zephyr with the Bluetooth Classic (BR/EDR) host stack compiled in (CONFIG_BT_CLASSIC) and that the attacker is within Bluetooth radio range (AV:A, typically <10m for Class 2 radios). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H scores 7.1 (High) and is internally consistent: AV:A reflects that Bluetooth Classic requires adjacent (radio-range) access, AC:L matches a single malformed packet, PR:N/UI:N because any peer that can initiate an SDP query can trigger it, and A:H captures the kernel panic. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth radio range of a Zephyr-based device (smartwatch, hearable, industrial sensor, medical device) initiates an SDP service search and sends a single crafted attribute containing only 3 bytes such as 09 00 09. The parser asserts and the device kernel panics, dropping any active connections and requiring a reboot; repeated transmission produces a persistent denial of service against any Bluetooth Classic device in range. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - consult the Zephyr GHSA-p93g-3r68-cj53 advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p93g-3r68-cj53 for the exact patched release tag and backports, then rebuild and reflash device firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Zephyr RTOS devices with Bluetooth Classic enabled, including firmware versions and deployment locations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy