CVE Catalog

CVE-2026-10651

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile - higher than 7% of all known CVEs

Summary

A vulnerability in Zephyr's Bluetooth Classic SDP parser allows a malformed attribute to trigger a reachable assertion, causing a kernel panic (denial of service) in assert-enabled builds. In builds without assertions, it may lead to an out-of-bounds read and undefined behavior.

Risk Assessment

An attacker can remotely crash the system (DoS) by sending a crafted Bluetooth packet, disrupting device operation. In builds without assertions, undefined behavior may allow further exploitation.

Recommendation

Update Zephyr OS to a patched version immediately. If not possible, consider disabling Bluetooth Classic or implementing network-level protections.

Original NVD description (English source)

A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS