CVE-2025-12035
Unknown Unknown - Not Provided
Integer Overflow in Zephyr Bluetooth Host Risks Traffic Corruption

Publication date: 2025-12-15

Last updated on: 2025-12-15

Assigner: Zephyr Project

Description
An integer overflow condition exists in Bluetooth Host stack, within the bt_br_acl_recv routine a critical path for processing inbound BR/EDR L2CAP traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-15
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12035
EUVD
EUVD-2025-203444
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr 4.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an integer overflow in the Bluetooth Classic (BR/EDR) L2CAP implementation within the Zephyr RTOS Bluetooth Host stack, specifically in the bt_br_acl_recv function. An attacker can send a specially crafted packet with a length field set to a very large value, causing the length calculation to overflow a 16-bit integer and wrap around to zero. This results in the internal buffer length being set to zero incorrectly, causing the system to discard valid payload data silently. Additionally, protections for packet reassembly are bypassed for BR/EDR connections, allowing malformed packets to pass through. This can lead to excessive CPU usage and disruption of flow control, causing denial-of-service (DoS) conditions in affected systems. [1]

Impact Analysis

This vulnerability can cause denial-of-service (DoS) conditions by making the system consume excessive CPU resources and disrupting Bluetooth flow control. It leads to operational disruption, resource exhaustion, or watchdog resets, especially in resource-constrained systems. Although it does not cause direct memory corruption or data compromise, the availability of the Bluetooth service can be severely impacted. [1]

Detection Guidance

Detection involves monitoring for abnormal Bluetooth BR/EDR L2CAP traffic patterns, such as unusually large or malformed packets targeting the bt_br_acl_recv function. Since the vulnerability causes excessive CPU usage and flow control disruption, system monitoring tools can detect spikes in CPU or watchdog resets related to Bluetooth activity. Specific commands depend on the system, but generally, using Bluetooth packet capture tools (e.g., btmon on Linux) to capture and analyze inbound BR/EDR L2CAP packets for suspicious length fields (e.g., hdr->len values near 0xfffc) can help identify exploit attempts. Additionally, checking system logs for error messages related to dropped packets or buffer length errors may assist in detection. [1]

Mitigation Strategies

Immediate mitigation steps include applying the patch that validates the hdr->len field before arithmetic operations to ensure it does not exceed UINT16_MAX minus the header size. If the length is invalid, the packet should be dropped and an error logged. For systems running Zephyr 4.2.0 or BR/EDR-enabled targets, updating to the patched version is necessary. Additionally, monitoring and restricting Bluetooth BR/EDR connections from untrusted devices can reduce exposure until the patch is applied. [1]

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12035. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart