CVE-2026-10641 zephyrproject CVE debrief

Who should care

Organizations using Zephyr's Bluetooth Classic HFP feature, particularly those with devices that connect to Bluetooth devices over the Hands-Free Profile, should be aware of this vulnerability. This includes manufacturers of Bluetooth-enabled devices, automotive and industrial equipment suppliers, and developers of Bluetooth-based applications.

Technical summary

The vulnerability is caused by the lack of bounds checking in the cind_handle_values() function, which writes to the hf-ind_table[] array without verifying that the index is within the array bounds. This allows a remote attacker to send a response with more than 20 recognized indicator entries, driving the index arbitrarily large and writing a small attacker-positioned value past the array into adjacent struct fields. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity.

Defensive priority

High

Recommended defensive actions

• Update to a version of Zephyr that includes the fix for CVE-2026-10641
• Disable CONFIG_BT_HFP_HF if not required
• Implement additional bounds checking for the cind_handle_values() function
• Monitor Bluetooth connections for suspicious activity
• Consider using a different Bluetooth profile or protocol
• Limit the number of indicator entries in the +CIND: response
• Implement memory protection mechanisms to prevent exploitation

Evidence notes

The vulnerability was introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0. The issue was fixed with the commit cf7693a8261ae363c9cf46cfd51005486637173e. The vulnerability has been reported to the Zephyr project and a fix has been provided.

Official resources