CVE-2026-10651
Received Received - Intake
Bluetooth Classic SDP Parser Assertion Failure in Zephyr

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Zephyr Project

Description
A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-10651
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a bug in the Zephyr RTOS Bluetooth Classic SDP parser, specifically in the function bt_sdp_parse_attribute(). When the parser receives a malformed SDP attribute buffer that is truncated, it attempts to read more bytes than are available without verifying the buffer length. This leads to an assertion failure in assert-enabled builds, causing a kernel panic, or to an out-of-bounds read and undefined behavior in builds without assertions.

The issue arises because the parser accepts an input buffer containing a 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without checking if that byte exists. For example, a truncated attribute like '09 00 09' triggers this failure.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) by causing a kernel panic in assert-enabled builds of Zephyr RTOS. In builds without assertions, it may cause undefined behavior due to out-of-bounds memory reads, potentially leading to memory corruption.

An attacker within Bluetooth range can exploit this vulnerability by sending a malformed SDP attribute to the device, which could reduce system availability or compromise system stability.

Detection Guidance

This vulnerability arises from a malformed Bluetooth Classic SDP attribute that triggers an assertion failure or out-of-bounds read in the Zephyr RTOS Bluetooth SDP parser.

Detection involves monitoring for kernel panics or crashes related to Bluetooth SDP parsing, especially if the system is running Zephyr versions up to 4.4.

Since the issue is triggered by malformed SDP attribute buffers (e.g., containing bytes like 09 00 09), you can attempt to detect suspicious Bluetooth SDP traffic by capturing Bluetooth packets and inspecting SDP attributes for truncation or malformed data.

Commands to assist detection might include using Bluetooth packet capture tools such as `btmon` or `hcidump` to monitor SDP traffic and look for malformed attributes.

Example command to capture Bluetooth traffic on Linux: `sudo btmon`

You can then analyze the captured SDP packets for truncated attributes similar to the example bytes `09 00 09` that trigger the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling Bluetooth Classic SDP usage on affected Zephyr RTOS devices, especially if they are within attacker Bluetooth range.

Since no patched versions are available at the time of disclosure, limiting exposure by disabling Bluetooth or restricting Bluetooth Classic SDP services can reduce risk.

Additionally, monitoring for abnormal system crashes or kernel panics related to Bluetooth SDP parsing can help identify exploitation attempts.

Implement network or device-level controls to prevent untrusted Bluetooth devices from connecting or sending malformed SDP attributes.

Compliance Impact

This vulnerability primarily causes a denial of service or potential memory corruption due to a malformed Bluetooth SDP attribute leading to a kernel panic or undefined behavior.

There is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart