CVE Catalog

CVE-2026-5068

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile - higher than 6% of all known CVEs

Summary

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When segmentation is enabled and the RX pool user_data_size is less than 2 bytes, the segmentation counter is written out of bounds, causing an AddressSanitizer abort or heap corruption.

Risk Assessment

The organization faces remote denial of service or potential code execution on devices using the Zephyr Bluetooth stack, which could lead to system crashes or compromise.

Recommendation

Update the Zephyr Bluetooth stack to a patched version immediately and ensure RX pool user_data_size is at least 2 bytes to prevent the out-of-bounds write.

Original NVD description (English source)

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds in l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). The observed effects are an AddressSanitizer abort and, without ASan, heap corruption / fatal error.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS