PatchSiren cyber security CVE debrief
CVE-2026-10658 zephyrproject-rtos CVE debrief
CVE-2026-10658 is a high-severity vulnerability in the Zephyr Bluetooth Host ISO receive path. A missing length validation can be triggered by malformed HCI ISO data, leading to a kernel assert (denial of service) in assert-enabled builds and potential out-of-bounds read behavior in non-assert builds. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled. This vulnerability has a CVSS score of 7.1 and is considered HIGH severity. The CVE was published on 2026-06-23T01:16:26.867Z and last modified on 2026-06-23T15:11:24.183Z.
- Vendor
- zephyrproject-rtos
- Product
- Zephyr
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
Organizations using the Zephyr Host with CONFIG_BT_ISO_RX enabled should be aware of this vulnerability. This includes products where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic. The vulnerability can lead to a denial of service and potential out-of-bounds read behavior.
Technical summary
The vulnerability is caused by a missing length validation in the Zephyr Bluetooth Host ISO receive path. Specifically, in the bt_iso_recv() function (subsys/bluetooth/host/iso.c), the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size. As a result, malformed ISO traffic can deterministically trigger a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds, the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior.
Defensive priority
High priority should be given to patching this vulnerability, as it can lead to a denial of service and potential out-of-bounds read behavior. Organizations should prioritize patching systems using the Zephyr Host with CONFIG_BT_ISO_RX enabled.
Recommended defensive actions
- Patch systems using the Zephyr Host with CONFIG_BT_ISO_RX enabled.
- Verify and update HCI data validation to prevent malformed ISO traffic.
- Monitor for and respond to potential denial of service and out-of-bounds read behavior.
- Review and update incident response plans to address potential exploitation.
- Perform thorough vulnerability assessments to identify affected systems.
Evidence notes
The CVE-2026-10658 vulnerability is based on information from the NVD and Zephyr project sources. The vulnerability affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled. Evidence is limited to official CVE and NVD records, as well as a Zephyr project advisory.
Official resources
-
CVE-2026-10658 CVE record
CVE.org
-
CVE-2026-10658 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
This article is AI-assisted and based on the supplied source corpus.