CVE-2026-5068
HighCVSS 7.6Exploitation Probability (EPSS)
Low risk6th percentile - higher than 6% of all known CVEs
Summary
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When segmentation is enabled and the RX pool user_data_size is less than 2 bytes, the segmentation counter is written out of bounds, causing an AddressSanitizer abort or heap corruption.
Risk Assessment
The organization faces remote denial of service or potential code execution on devices using the Zephyr Bluetooth stack, which could lead to system crashes or compromise.
Recommendation
Update the Zephyr Bluetooth stack to a patched version immediately and ensure RX pool user_data_size is at least 2 bytes to prevent the out-of-bounds write.
Original NVD description (English source)
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds in l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). The observed effects are an AddressSanitizer abort and, without ASan, heap corruption / fatal error.

