CVE-2025-12035
Integer Overflow in Zephyr Bluetooth Host Risks Traffic Corruption
Publication date: 2025-12-15
Last updated on: 2025-12-15
Assigner: Zephyr Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zephyrproject | zephyr | 4.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is an integer overflow in the Bluetooth Classic (BR/EDR) L2CAP implementation within the Zephyr RTOS Bluetooth Host stack, specifically in the bt_br_acl_recv function. An attacker can send a specially crafted packet with a length field set to a very large value, causing the length calculation to overflow a 16-bit integer and wrap around to zero. This results in the internal buffer length being set to zero incorrectly, causing the system to discard valid payload data silently. Additionally, protections for packet reassembly are bypassed for BR/EDR connections, allowing malformed packets to pass through. This can lead to excessive CPU usage and disruption of flow control, causing denial-of-service (DoS) conditions in affected systems. [1]
How can this vulnerability impact me? :
This vulnerability can cause denial-of-service (DoS) conditions by making the system consume excessive CPU resources and disrupting Bluetooth flow control. It leads to operational disruption, resource exhaustion, or watchdog resets, especially in resource-constrained systems. Although it does not cause direct memory corruption or data compromise, the availability of the Bluetooth service can be severely impacted. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for abnormal Bluetooth BR/EDR L2CAP traffic patterns, such as unusually large or malformed packets targeting the bt_br_acl_recv function. Since the vulnerability causes excessive CPU usage and flow control disruption, system monitoring tools can detect spikes in CPU or watchdog resets related to Bluetooth activity. Specific commands depend on the system, but generally, using Bluetooth packet capture tools (e.g., btmon on Linux) to capture and analyze inbound BR/EDR L2CAP packets for suspicious length fields (e.g., hdr->len values near 0xfffc) can help identify exploit attempts. Additionally, checking system logs for error messages related to dropped packets or buffer length errors may assist in detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the patch that validates the hdr->len field before arithmetic operations to ensure it does not exceed UINT16_MAX minus the header size. If the length is invalid, the packet should be dropped and an error logged. For systems running Zephyr 4.2.0 or BR/EDR-enabled targets, updating to the patched version is necessary. Additionally, monitoring and restricting Bluetooth BR/EDR connections from untrusted devices can reduce exposure until the patch is applied. [1]