Bluetooth LE Audio BAP Unicast Client QoS State Handling Flaw

Executive Summary

CVE-2026-10593 is a vulnerability in the Zephyr RTOS Bluetooth LE Audio Basic Audio Profile (BAP) unicast client. It occurs because the code mishandles peer-supplied ASE state notifications, specifically in the function unicast_client_ep_qos_state().

A malicious or buggy remote ASCS server can send a GATT notification that causes the local device to write attacker-controlled data through a NULL pointer, leading to a crash (denial of service). This happens when the remote server announces the ASE has entered the QoS Configured state while the local endpoint is still in the Codec Configured state, a transition allowed by the dispatcher but not properly guarded in the code.

The root cause is that the stream->qos pointer is NULL for streams that have been codec-configured but not yet added to a unicast group, and the code writes to this pointer without checking for NULL. The vulnerability affects Zephyr versions 4.3.0 to 4.4.0 and earlier, and has been fixed by changing the code to use an always-valid embedded qos struct instead.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited remotely by a malicious or buggy Bluetooth ASCS server connected to the affected device.

The impact is a denial of service caused by a crash due to a NULL pointer dereference when handling QoS state notifications.

The attacker can control the data written during the crash, but the main consequence is the device becoming unavailable or unresponsive, affecting availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a NULL-pointer dereference triggered by a malicious or buggy remote ASCS server sending a specific GATT notification to the Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client. Detection would involve monitoring Bluetooth LE Audio BAP unicast client behavior for unexpected crashes or denial of service events caused by ASE state notifications.

Since the issue is triggered by a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is still in the Codec Configured state, network or system detection could focus on capturing and analyzing Bluetooth LE GATT traffic for such state transitions.

Specific commands or tools are not provided in the available resources. However, general approaches could include using Bluetooth protocol analyzers or tools like 'btmon' on Linux to monitor Bluetooth LE traffic, and checking system logs for crashes or denial of service symptoms related to the Bluetooth audio subsystem.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Zephyr RTOS Bluetooth LE Audio Basic Audio Profile (BAP) unicast client to a version that includes the fix for this vulnerability. The fix ensures that all BAP QoS storage points to the always-valid embedded ep-qos struct, eliminating the NULL pointer dereference.

Affected versions are Zephyr v4.3.0 to v4.4.0. The fix has been merged into the main branch and is projected for release in v4.5.0. Applying this update will prevent the vulnerability from being exploited.

Until the update can be applied, consider limiting or monitoring connections to potentially untrusted ASCS servers to reduce exposure to malicious GATT notifications that could trigger the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0