Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Bluetooth radio adjacency required (AV:A), high-complexity timing race to win (AC:H), impact is availability-only and limited to session slot denial (A:L) with no C or I consequence.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
A race condition in the Zephyr Bluetooth Classic RFCOMM host stack (subsys/bluetooth/host/classic/rfcomm.c) mishandles a simultaneous bidirectional session disconnect. When the local device has initiated a session teardown (state BT_RFCOMM_STATE_DISCONNECTING, DISC sent, RTX timer armed) and the connected peer concurrently sends its own DISC frame for dlci 0, rfcomm_handle_disc() invokes rfcomm_session_disconnected(), which unconditionally forced the session to BT_RFCOMM_STATE_DISCONNECTED without ever calling bt_l2cap_chan_disconnect().
Because the recovery timer was also cancelled and a later UA is ignored in the DISCONNECTED state, the session becomes permanently wedged: the underlying L2CAP channel is never released and the session slot in the fixed bt_rfcomm_pool[CONFIG_BT_MAX_CONN] array is never reclaimed (its conn pointer stays set).
Subsequent bt_rfcomm_dlc_connect() calls on that connection fail with -EINVAL due to the invalid session state, so RFCOMM service is denied for that peer, and repeated occurrences can exhaust the session pool. The DISC frame is peer-controlled over the air, but exploitation requires the peer's DISC to collide with a local-initiated disconnect (a high-complexity timing race). Impact is availability/resource-leak only; there is no memory-safety, confidentiality, or integrity consequence. The defect shipped in released versions (present in v4.4.0 and earlier).
The fix only transitions to DISCONNECTED when the session is not already in DISCONNECTING, preserving the proper L2CAP teardown path.
AnalysisAI
Race condition in Zephyr RTOS Bluetooth Classic RFCOMM host stack (v4.4.0 and earlier) permanently wedges session state and exhausts the fixed bt_rfcomm_pool when a peer-transmitted DISC frame for dlci 0 collides with a simultaneous local-initiated teardown. The underlying L2CAP channel is never released and the session slot is never reclaimed, eventually denying RFCOMM service to the targeted peer across repeated occurrences. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be within Bluetooth radio range and have an established Bluetooth Classic RFCOMM connection with the target device (AV:A). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.1 (Low) with vector AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L is well-calibrated: exploitation requires physical or radio Bluetooth adjacency (AV:A), a high-complexity timing race difficult to control reliably (AC:H), and yields only limited availability impact (A:L) with no confidentiality or integrity consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker within Bluetooth radio range of a Zephyr device establishes an RFCOMM session and then, at the precise moment the local device independently initiates a session teardown, transmits a DISC frame for dlci 0. If the timing race succeeds, the session slot in bt_rfcomm_pool is permanently wedged and the L2CAP channel is never freed. … |
| Remediation | Apply the upstream fix from commit c67b59f891a3a8697f1edb2a0e559fc267e75cc2 in the ZephyrProject repository (https://github.com/zephyrproject-rtos/zephyr/commit/c67b59f891a3a8697f1edb2a0e559fc267e75cc2); the patch conditions the transition to BT_RFCOMM_STATE_DISCONNECTED on the session not already being in DISCONNECTING, preserving the proper L2CAP teardown path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40369