Zephyr RTOS
CVE-2026-10651
MEDIUM
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Adjacent Bluetooth range (AV:A), single malformed packet (AC:L), no auth needed to query SDP (PR:N), kernel panic (A:H), minor info leak in assert-disabled builds (C:L).
Primary rating from Vendor (zephyr).
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.
AnalysisAI
Denial of service in Zephyr RTOS Bluetooth Classic SDP parser allows adjacent Bluetooth attackers to crash devices via a malformed 3-byte SDP attribute that triggers a reachable kernel assertion. The flaw resides in bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c, where the parser pulls a value-type byte without first verifying buffer length, causing a kernel panic in assert-enabled builds and an out-of-bounds read with undefined behavior when assertions are disabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires that the target device runs Zephyr with the Bluetooth Classic (BR/EDR) host stack compiled in (CONFIG_BT_CLASSIC) and that the attacker is within Bluetooth radio range (AV:A, typically <10m for Class 2 radios). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H scores 7.1 (High) and is internally consistent: AV:A reflects that Bluetooth Classic requires adjacent (radio-range) access, AC:L matches a single malformed packet, PR:N/UI:N because any peer that can initiate an SDP query can trigger it, and A:H captures the kernel panic. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Bluetooth radio range of a Zephyr-based device (smartwatch, hearable, industrial sensor, medical device) initiates an SDP service search and sends a single crafted attribute containing only 3 bytes such as 09 00 09. The parser asserts and the device kernel panics, dropping any active connections and requiring a reboot; repeated transmission produces a persistent denial of service against any Bluetooth Classic device in range. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - consult the Zephyr GHSA-p93g-3r68-cj53 advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p93g-3r68-cj53 for the exact patched release tag and backports, then rebuild and reflash device firmware. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all Zephyr RTOS devices with Bluetooth Classic enabled, including firmware versions and deployment locations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-20 – Improper Input Validation
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today