Zephyr RTOS
CVE-2026-10658
HIGH
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Adjacent Bluetooth/HCI vector, no auth or UI, deterministic crash gives A:H, possible OOB read in non-assert builds justifies C:L, no integrity impact.
Primary rating from Vendor (zephyr).
CVSS VectorVendor: zephyr
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.
AnalysisAI
Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target firmware must be built from Zephyr with the Bluetooth Host stack and CONFIG_BT_ISO_RX enabled, and the attacker must be able to deliver a crafted HCI ISO Data packet with PB=START or PB=SINGLE and a payload length below the inner SDU header size (1 byte suffices to bypass hci_iso() while underflowing the 4- or 8-byte pull). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H yields 7.1 (High) and is consistent with the description: the attack vector is adjacent (Bluetooth controller link), unauthenticated, with low complexity and a primary availability impact, plus a minor confidentiality impact reflecting the possible OOB read in non-assert builds. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or compromises the Bluetooth controller attached to a Zephyr Host (for example, via a malicious USB Bluetooth dongle, a tampered HCI-UART link, or a compromised co-processor) sends an HCI ISO Data packet whose payload length passes the outer hci_iso() check but is smaller than the required 4- or 8-byte SDU header. bt_iso_recv() then invokes net_buf_pull_mem() on an undersized buffer, deterministically asserting and crashing the device in assert-enabled builds, or reading beyond the buffer in non-assert builds. … |
| Remediation | Upstream fix available (PR/commit per GHSA-26g8-rmpf-j6cw); released patched version not independently confirmed from the provided data - consult https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-26g8-rmpf-j6cw and update to the corresponding Zephyr LTS or main-branch tag once identified, then rebuild and reflash affected firmware. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),
Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit
Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS
Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner
Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability
Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable
DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul
zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(
Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul
Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.
The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte
Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today