CVE-2026-10651 zephyrproject-rtos CVE debrief

Who should care

Organizations using Zephyr's Bluetooth Classic SDP parser should be aware of this vulnerability and take necessary steps to mitigate it. This includes reviewing their inventory of affected systems and applying patches or workarounds as needed. Additionally, defenders should monitor their systems for potential exploitation attempts.

Technical summary

The vulnerability is caused by a lack of verification of the input buffer length in the bt_sdp_parse_attribute() function. Specifically, the function unconditionally pulls an additional byte for the value type without checking if the byte is present. This can lead to a reachable assertion and a kernel panic in assert-enabled builds. In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it can be used to cause a denial of service. Defenders should review their inventory of affected systems and apply patches or workarounds as needed.

Recommended defensive actions

• Review inventory of affected systems and apply patches or workarounds as needed
• Monitor systems for potential exploitation attempts
• Implement compensating controls to detect and prevent exploitation
• Verify that assertions are enabled in builds where possible
• Consider disabling Bluetooth Classic SDP parser if not needed

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and severity. The source item URL provides additional information on the vulnerability, including references to the Zephyr project's security advisory.

Official resources