CVE-2026-10641
Received Received - Intake
Bluetooth Classic HFP Hands-Free Role Parser Out-of-Bounds Write

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Zephyr Project

Description
Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-10641
EUVD
EUVD-2026-37702
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr From 1.7 (inc) to 4.4.0 (inc)
zephyrproject zephyr From 3.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10641 is a high-severity out-of-bounds write vulnerability in the Zephyr RTOS Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser. During the Service Level Connection setup, the Hands-Free device sends an AT+CIND=? command and parses the Audio Gateway's +CIND: response. The vulnerability arises because the parser assigns an index to each indicator entry without verifying that the index stays within the bounds of a fixed-size array of 20 elements.

A malicious or compromised Audio Gateway can send more than 20 indicator entries, causing the index to exceed the array size and resulting in writes beyond the array boundary. This leads to memory corruption in adjacent fields of the Bluetooth HFP structure, potentially affecting feature masks, protocol state, and other critical data.

This memory corruption can cause undefined behavior and at least denial of service of the Bluetooth host, triggered remotely without any user interaction.

Impact Analysis

This vulnerability can lead to memory corruption in the Bluetooth Hands-Free Profile implementation, which can cause denial of service of the Bluetooth host subsystem.

An attacker controlling a remote Audio Gateway device can exploit this flaw by sending a specially crafted AT response with more than 20 indicator entries, triggering out-of-bounds writes.

The impact includes potential crashes, instability, or undefined behavior of the Bluetooth service, which may disrupt device connectivity and functionality.

Detection Guidance

This vulnerability occurs during the Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role negotiation, specifically when parsing the Audio Gateway's +CIND response. Detection would involve monitoring Bluetooth Classic HFP traffic for malformed or unusually large +CIND responses that contain more than 20 indicator entries.

Since the vulnerability is triggered by a remote Attendant Gateway sending a malformed AT response, network detection could focus on capturing and analyzing Bluetooth HFP packets for abnormal +CIND responses.

There are no specific commands provided in the available resources to detect this vulnerability directly on a system or network.

Mitigation Strategies

The primary mitigation is to update the Zephyr RTOS Bluetooth Classic HFP HF implementation to a patched version where the vulnerability is fixed.

  • Upgrade to Zephyr versions 4.5.0, 4.4.2, 4.3.1, or 3.7.3 or later, which include the fix that adds bounds checking to prevent out-of-bounds writes.
  • If upgrading is not immediately possible, consider disabling the Bluetooth Classic HFP Hands-Free Profile (CONFIG_BT_HFP_HF) feature to prevent exposure.

The fix involves adding a bounds check in the cind_handle_values() function to ensure the index does not exceed the size of the indicator table, preventing memory corruption and denial of service.

Compliance Impact

The vulnerability causes memory corruption and denial of service in the Bluetooth host by allowing out-of-bounds writes during Bluetooth Classic Hands-Free Profile negotiation.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity and availability impacts (CVSS 7.1) could indirectly affect compliance by compromising system reliability and security.

Specifically, denial of service or protocol state corruption could disrupt secure communications or device functionality, which may be relevant in environments requiring strict data protection and operational continuity.

However, there is no direct information provided about how this vulnerability impacts compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10641. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart