Skip to main content

Zephyr RTOS CVE-2026-9263

| EUVDEUVD-2026-40366 HIGH
Out-of-bounds Read (CWE-125)
2026-06-30 zephyr
8.1
CVSS 3.1 · NVD
Share

Severity by source

Vendor (zephyr) PRIMARY
MEDIUM
qualitative
NVD
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
8.1 HIGH

Over-the-air Bluetooth reach gives AV:A; no auth or interaction (PR:N/UI:N); attacker-controlled headers make it low-complexity; memory disclosure is C:H and faults/DoS are A:H with no integrity impact.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (zephyr).

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

9
Analysis Updated
Jul 06, 2026 - 21:44 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:43 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:42 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 06, 2026 - 21:41 vuln.today
Analysis Updated
Jul 06, 2026 - 21:41 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 19:52 vuln.today
cvss_changed
Severity Changed
Jul 06, 2026 - 19:52 NVD
MEDIUM HIGH
CVSS changed
Jul 06, 2026 - 19:52 NVD
6.5 (MEDIUM) 8.1 (HIGH)
Analysis Generated
Jun 30, 2026 - 17:25 vuln.today

DescriptionNVD

The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_header() accepted start segments with len < 3 as valid, and isoal_rx_framed_consume() then computed length = seg_hdr->len - 3 in a uint8_t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal_rx_append_to_sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink_sdu_write_hci()/net_buf_add_mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci_driver.c) and the vendor data path (ull_iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal_check_seg_header() and adds a guard before the subtraction in isoal_rx_framed_consume().

AnalysisAI

Out-of-bounds read in the Zephyr RTOS Bluetooth controller's ISO Adaptation Layer (isoal.c) lets an adjacent attacker leak controller memory to the HCI host and potentially crash the device. A malicious CIS peer or a broadcaster the device is BIS-synced to sends a framed ISO PDU whose start-segment length field is 0-2, causing a uint8_t underflow (len-3 → 253-255) that copies up to ~255 bytes past the received PDU into an HCI ISO packet. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Enter Bluetooth range of target
Delivery
Establish CIS or force BIS-sync
Exploit
Send framed ISO PDU with start-segment len<3
Install
Trigger uint8_t underflow (len-3
C2
255)
Execute
Over-read controller memory into HCI ISO packet
Impact
Leak memory to host or crash stack (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires an active framed ISO data path: either an established Connected Isochronous Stream (CIS) with the attacker as the peer, or the target device synchronized to an attacker-controlled Broadcast Isochronous Stream (BIS-sync); the vendor data path via ull_iso.c is also reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) reflects an unauthenticated, low-complexity attack over the Bluetooth radio yielding high confidentiality (memory disclosure) and high availability (faults/DoS) impact, with no integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker within Bluetooth radio range establishes a CIS connection to the target (or has the target sync to an attacker-controlled BIS broadcast), then transmits a framed ISO PDU whose start-segment header carries a length field of 0, 1, or 2. The uint8_t underflow causes the controller to copy up to ~255 bytes of adjacent controller memory into an HCI ISO data packet delivered to the host, leaking memory contents and potentially faulting the stack. …
Remediation Patch available per vendor advisory: upgrade to the fixed Zephyr release (4.5.0, the upper bound of the EUVD-affected range) or apply commit 28080d80fc8aca30af1dfd1338bd4481b13c7395, which rejects sc=0 start segments with len < 3 in isoal_check_seg_header() and adds a guard before the len-3 subtraction in isoal_rx_framed_consume(); see GHSA-6gvp-pmh8-fjh2 (https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-6gvp-pmh8-fjh2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Zephyr RTOS deployments with Bluetooth ISO capability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Zephyr

View all
CVE-2023-4260 CRITICAL POC
10.0 Sep 27

Potential off-by-one buffer overflow vulnerability in the Zephyr fuse file system. Rated critical severity (CVSS 10.0),

CVE-2023-5055 CRITICAL POC
9.8 Nov 21

Possible variant of CVE-2021-3434 in function le_ecred_reconf_req. Rated critical severity (CVSS 9.8), this vulnerabilit

CVE-2023-4257 CRITICAL POC
9.8 Oct 13

Unchecked user input length in /subsys/net/l2/wifi/wifi_shell.c can cause buffer overflows. Rated critical severity (CVS

CVE-2023-3725 CRITICAL POC
9.8 Oct 06

Potential buffer overflow vulnerability in the Zephyr CAN bus subsystem. Rated critical severity (CVSS 9.8), this vulner

CVE-2021-3323 CRITICAL POC
9.8 Oct 12

Integer Underflow in 6LoWPAN IPHC Header Uncompression in Zephyr. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2021-3625 CRITICAL POC
9.8 Oct 05

Buffer overflow in Zephyr USB DFU DNLOAD. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable

CVE-2021-3319 CRITICAL POC
9.8 Oct 05

DOS: Incorrect 802154 Frame Validation for Omitted Source / Dest Addresses. Rated critical severity (CVSS 9.8), this vul

CVE-2018-1000800 CRITICAL POC
9.8 Sep 06

zephyr-rtos version 1.12.0 contains a NULL base pointer reference vulnerability in sys_ring_buf_put(), sys_ring_buf_get(

CVE-2023-4264 CRITICAL POC
9.6 Sep 27

Potential buffer overflow vulnerabilities n the Zephyr Bluetooth subsystem. Rated critical severity (CVSS 9.6), this vul

CVE-2026-1678 CRITICAL POC
9.4 Mar 05

Buffer overflow in Zephyr RTOS dns_unpack_name() function causing OOB writes. PoC available.

CVE-2024-1638 CRITICAL POC
9.1 Feb 19

The documentation specifies that the BT_GATT_PERM_READ_LESC and BT_GATT_PERM_WRITE_LESC defines for a Bluetooth characte

CVE-2023-5753 HIGH POC
8.8 Oct 25

Potential buffer overflows in the Bluetooth subsystem due to asserts being disabled in /subsys/bluetooth/host/hci_core.c

Share

CVE-2026-9263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy