Skip to main content

Zephyr RTOS CVE-2026-10658

HIGH
Out-of-bounds Read (CWE-125)
2026-06-22 zephyr
7.1
CVSS 3.1 · Vendor: zephyr
Share

Severity by source

Vendor (zephyr) PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
vuln.today AI
7.1 HIGH

Adjacent Bluetooth/HCI vector, no auth or UI, deterministic crash gives A:H, possible OOB read in non-assert builds justifies C:L, no integrity impact.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorVendor: zephyr

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 23, 2026 - 00:44 cve.org
HIGH 7.1
Analysis Generated
Jun 23, 2026 - 00:42 vuln.today

DescriptionCVE.org

A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.

AnalysisAI

Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain control of Bluetooth controller or HCI link
Delivery
Craft HCI ISO packet with undersized SDU header
Exploit
Forward malformed frame to Zephyr Host
Install
Pass outer hci_iso() length envelope check
C2
net_buf_pull_mem() under-reads buffer
Execute
Assert fires or OOB memory read
Impact
Device crash or limited memory disclosure

Vulnerability AssessmentAI

Exploitation Target firmware must be built from Zephyr with the Bluetooth Host stack and CONFIG_BT_ISO_RX enabled, and the attacker must be able to deliver a crafted HCI ISO Data packet with PB=START or PB=SINGLE and a payload length below the inner SDU header size (1 byte suffices to bypass hci_iso() while underflowing the 4- or 8-byte pull). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H yields 7.1 (High) and is consistent with the description: the attack vector is adjacent (Bluetooth controller link), unauthenticated, with low complexity and a primary availability impact, plus a minor confidentiality impact reflecting the possible OOB read in non-assert builds. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or compromises the Bluetooth controller attached to a Zephyr Host (for example, via a malicious USB Bluetooth dongle, a tampered HCI-UART link, or a compromised co-processor) sends an HCI ISO Data packet whose payload length passes the outer hci_iso() check but is smaller than the required 4- or 8-byte SDU header. bt_iso_recv() then invokes net_buf_pull_mem() on an undersized buffer, deterministically asserting and crashing the device in assert-enabled builds, or reading beyond the buffer in non-assert builds. …
Remediation Upstream fix available (PR/commit per GHSA-26g8-rmpf-j6cw); released patched version not independently confirmed from the provided data - consult https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-26g8-rmpf-j6cw and update to the corresponding Zephyr LTS or main-branch tag once identified, then rebuild and reflash affected firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-10658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy