Skip to main content

Zephyr RTOS CVE-2026-10654

| EUVDEUVD-2026-40369 LOW
Race Condition (CWE-362)
2026-06-30 zephyr
3.1
CVSS 3.1 · Vendor: zephyr

Severity by source

Vendor (zephyr) PRIMARY
3.1 LOW
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.1 LOW

Bluetooth radio adjacency required (AV:A), high-complexity timing race to win (AC:H), impact is availability-only and limited to session slot denial (A:L) with no C or I consequence.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 17:26 vuln.today

DescriptionCVE.org

A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISCONNECTING, DISC sent, RTX timer armed) and the connected peer concurrently sends its own DISC frame for dlci 0, rfcomm_handle_disc() invokes rfcomm_session_disconnected(), which unconditionally forced the session to BT_RFCOMM_STATE_DISCONNECTED without ever calling bt_l2cap_chan_disconnect().

Because the recovery timer was also cancelled and a later UA is ignored in the DISCONNECTED state, the session becomes permanently wedged: the underlying L2CAP channel is never released and the session slot in the fixed bt_rfcomm_pool[CONFIG_BT_MAX_CONN] array is never reclaimed (its conn pointer stays set).

Subsequent bt_rfcomm_dlc_connect() calls on that connection fail with -EINVAL due to the invalid session state, so RFCOMM service is denied for that peer, and repeated occurrences can exhaust the session pool. The DISC frame is peer-controlled over the air, but exploitation requires the peer's DISC to collide with a local-initiated disconnect (a high-complexity timing race). Impact is availability/resource-leak only; there is no memory-safety, confidentiality, or integrity consequence. The defect shipped in released versions (present in v4.4.0 and earlier).

The fix only transitions to DISCONNECTED when the session is not already in DISCONNECTING, preserving the proper L2CAP teardown path.

AnalysisAI

Race condition in Zephyr RTOS Bluetooth Classic RFCOMM host stack (v4.4.0 and earlier) permanently wedges session state and exhausts the fixed bt_rfcomm_pool when a peer-transmitted DISC frame for dlci 0 collides with a simultaneous local-initiated teardown. The underlying L2CAP channel is never released and the session slot is never reclaimed, eventually denying RFCOMM service to the targeted peer across repeated occurrences. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Establish Bluetooth Classic adjacency
Delivery
Negotiate and open RFCOMM session
Exploit
Wait for or induce local-initiated disconnect
Install
Send DISC frame for dlci 0 within DISCONNECTING timing window
C2
Race condition forces invalid DISCONNECTED state without L2CAP teardown
Execute
Session slot permanently wedged in pool
Impact
Repeat to exhaust pool, RFCOMM service denied

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be within Bluetooth radio range and have an established Bluetooth Classic RFCOMM connection with the target device (AV:A). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 3.1 (Low) with vector AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L is well-calibrated: exploitation requires physical or radio Bluetooth adjacency (AV:A), a high-complexity timing race difficult to control reliably (AC:H), and yields only limited availability impact (A:L) with no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth radio range of a Zephyr device establishes an RFCOMM session and then, at the precise moment the local device independently initiates a session teardown, transmits a DISC frame for dlci 0. If the timing race succeeds, the session slot in bt_rfcomm_pool is permanently wedged and the L2CAP channel is never freed. …
Remediation Apply the upstream fix from commit c67b59f891a3a8697f1edb2a0e559fc267e75cc2 in the ZephyrProject repository (https://github.com/zephyrproject-rtos/zephyr/commit/c67b59f891a3a8697f1edb2a0e559fc267e75cc2); the patch conditions the transition to BT_RFCOMM_STATE_DISCONNECTED on the session not already being in DISCONNECTING, preserving the proper L2CAP teardown path. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy