Skip to main content

Zephyr RTOS CVE-2026-5589

| EUVDEUVD-2026-34322 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-04 vulnerabilities@zephyrproject.org
6.3
CVSS 3.1 · Vendor: zephyrproject
Share

Severity by source

Vendor (zephyrproject) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from Vendor (zephyrproject) · only source for this CVE.

CVSS VectorVendor: zephyrproject

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 19:29 vuln.today
CVSS changed
Jun 05, 2026 - 19:22 NVD
6.3 (MEDIUM)
CVE Published
Jun 04, 2026 - 20:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. When reported_len is less than 3, the subtraction is performed in signed int arithmetic and yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, so subsequent reads dereference invalid memory. A nearby BLE device can trigger this with a non-connectable advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing or prior association required, potentially leading to denial of service or arbitrary code execution.

AnalysisAI

Integer underflow in Zephyr RTOS Bluetooth Mesh solicitation handling (versions ≤ 4.3.0) allows any physically proximate, unauthenticated BLE device to corrupt memory via a crafted advertising PDU, potentially causing denial of service or arbitrary code execution on the target device. The flaw resides in bt_mesh_sol_recv() within the OD Private Proxy Server feature and requires no prior pairing or device association to trigger. No public exploit has been identified at time of analysis and EPSS probability is low at 0.02%, but the combination of zero-interaction exploitation and RCE impact on embedded IoT devices warrants prioritization where this configuration is deployed.

Technical ContextAI

Zephyr RTOS is an open-source real-time operating system widely used in constrained IoT and embedded devices. The affected component is the Bluetooth Mesh On-Demand Private Proxy Server feature, gated by the Kconfig option CONFIG_BT_MESH_OD_PRIV_PROXY_SRV, implemented in subsys/bluetooth/mesh/solicitation.c. The root cause class is CWE-787 (Out-of-Bounds Write) arising from an integer underflow: bt_mesh_sol_recv() reads an attacker-controlled reported_len byte directly from a raw BLE advertising payload and computes reported_len - 3 in signed integer arithmetic without first verifying reported_len >= 3. When reported_len is 0, 1, or 2, the subtraction produces a negative signed integer that passes the subsequent length guard check, and this value is then implicitly widened to size_t - an unsigned type - when forwarded to net_buf_simple_pull_mem(). On common 32- or 64-bit architectures this produces a very large positive value (e.g., 0xFFFFFFFD for reported_len=0), causing net_buf_simple_pull_mem() to advance the internal data pointer far past the allocated buffer boundary. In release builds compiled without Zephyr assertions, no runtime abort occurs, so subsequent memory reads and writes target arbitrary process memory. Affected CPE per EUVD: Zephyr * ≤ 4.3.0.

RemediationAI

The primary remediation is to upgrade Zephyr RTOS to a version that includes the fix for GHSA-4pm9-4v7f-x6gr; however, an exact patched release version is not confirmed from the available input data - consult the Zephyr Project advisory at https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-4pm9-4v7f-x6gr and the VulDB entry at https://vuldb.com/vuln/368410 for the confirmed fix version before upgrading. The most effective immediate workaround is to disable CONFIG_BT_MESH_OD_PRIV_PROXY_SRV in the build configuration; this eliminates the vulnerable code path entirely, though it disables the On-Demand Private Proxy Server functionality, which may affect network privacy features for Bluetooth Mesh nodes. If disabling the feature is not feasible, enabling Zephyr's assertion mechanism (CONFIG_ASSERT=y) in production builds will cause the affected device to abort rather than proceed with the corrupted pointer, reducing the RCE risk to a denial-of-service condition - note this trade-off: assertions increase firmware size and introduce hard faults on abnormal input, which may be unacceptable in availability-sensitive deployments. Physical access controls or RF shielding to limit BLE advertising reception provide additional defense-in-depth but are not standalone mitigations.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-5589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy