CVE-2026-5589 zephyrproject-rtos CVE debrief

Who should care

Users of Bluetooth Mesh-enabled devices, particularly those with the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV configuration enabled, should be aware of this vulnerability and take necessary precautions.

Technical summary

The vulnerability is caused by an integer underflow in the bt_mesh_sol_recv() function, which is part of the Bluetooth Mesh solicitation handling. The function is located in the subsys/bluetooth/mesh/solicitation.c file. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. If reported_len is less than 3, the subtraction yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, allowing subsequent reads to dereference invalid memory.

Defensive priority

High

Recommended defensive actions

• Apply patches or updates provided by the vendor as soon as possible.
• Limit exposure by disabling Bluetooth Mesh solicitation handling or restricting access to affected devices.
• Monitor for suspicious Bluetooth activity and implement additional security measures to detect potential exploitation attempts.

Evidence notes

The vulnerability was reported by an unknown source and is tracked under CVE-2026-5589. The NVD provides additional details about the vulnerability, including its CVSS score and vector.

Official resources