CVE-2026-10658
Received Received - Intake
Buffer Overflow in Zephyr Bluetooth Host ISO Receive Path

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: Zephyr Project

Description
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-10658
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zephyrproject zephyr to 4.4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10658 is a vulnerability in the Zephyr RTOS Bluetooth Host ISO receive path. It occurs because the code in the bt_iso_recv() function does not properly check that the data buffer is large enough before pulling header information from Bluetooth HCI ISO data packets. Specifically, when processing certain packet fragments, the function attempts to read header bytes without verifying the buffer length, which can lead to a kernel assert failure or out-of-bounds memory reads.

This happens because malformed or maliciously crafted HCI ISO data with insufficient payload length can bypass outer length checks and cause the system to crash or behave unpredictably.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by causing the system to crash through a kernel assert failure when processing malformed Bluetooth ISO data. In builds without assert enabled, it may cause out-of-bounds memory reads, potentially leading to undefined behavior or system instability.

An attacker within Bluetooth range could exploit this vulnerability to remotely crash devices running affected versions of Zephyr RTOS with CONFIG_BT_ISO_RX enabled, impacting system availability.

Detection Guidance

This vulnerability is triggered by malformed Bluetooth HCI ISO data packets with insufficient payload length that cause kernel asserts or out-of-bounds reads in the Zephyr Bluetooth Host ISO receive path.

Detection involves monitoring for kernel assert crashes or denial-of-service symptoms related to Bluetooth ISO data processing, especially if CONFIG_BT_ISO_RX is enabled.

Since the issue arises from malformed HCI ISO packets, capturing Bluetooth traffic with tools like 'btmon' or 'hcidump' and analyzing for abnormal or truncated ISO data packets could help identify attempts to exploit this vulnerability.

No specific commands are provided in the available resources for direct detection, but using Bluetooth protocol analyzers to inspect ISO data length consistency and kernel logs for assert failures related to bt_iso_recv() would be advisable.

Mitigation Strategies

Immediate mitigation involves applying the patches that have been merged into the Zephyr main and maintenance branches (v4.4, v4.3, v3.7) which fix the missing length validation in bt_iso_recv().

If patching is not immediately possible, disabling the CONFIG_BT_ISO_RX feature in the Zephyr Bluetooth Host configuration can prevent the vulnerable code path from being used.

Additionally, restricting Bluetooth access to trusted devices and monitoring for unusual Bluetooth ISO traffic can reduce the risk of exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10658. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart