CVE-2026-5068
Received Received - Intake
BLE Out-of-Bounds Write in Zephyr RTOS L2CAP LE CoC

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: Zephyr Project

Description
A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds in l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). The observed effects are an AddressSanitizer abort and, without ASan, heap corruption / fatal error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-5068
EUVD
EUVD-2026-35353
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr to 4.4.0 (exc)
zephyrproject zephyr 4.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a 2-byte out-of-bounds write in the Bluetooth host of the Zephyr RTOS during the reassembly of LE Connection-Oriented Channels (LE CoC) Service Data Units (SDU). It happens when an application enables segmentation and the receive buffer pool's user data size is smaller than 2 bytes. A remote, unauthenticated Bluetooth Low Energy (BLE) peer can trigger this flaw, causing memory corruption.

The issue manifests as either an AddressSanitizer (ASan) abort with a backtrace pointing to the affected code or, if ASan is disabled, heap corruption and a fatal error due to freelist poisoning.

Impact Analysis

This vulnerability can lead to serious impacts including heap corruption and fatal errors in the Bluetooth host system. Exploiting this flaw could cause the affected device to crash or behave unpredictably.

Since the vulnerability is triggered remotely by an unauthenticated BLE peer, an attacker within Bluetooth range could exploit it without needing any privileges or user interaction.

The CVSS score of 7.6 (High) indicates a significant risk, with impacts on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by monitoring for AddressSanitizer (ASan) aborts with backtraces pointing to subsys/bluetooth/host/l2cap.c around line 2618, which indicates an out-of-bounds write during LE CoC SDU reassembly.

Additionally, detection may involve observing heap corruption or fatal errors related to freelist poisoning if ASan is not enabled.

Since the vulnerability is triggered by a remote unauthenticated BLE peer, network detection could include scanning for unusual or malformed BLE LE CoC packets that attempt segmentation with buffers having user_data_size smaller than 2 bytes.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation involves applying the patches provided in Zephyr RTOS versions later than 4.4.0 or the backported fixes available for version 4.3.

Ensuring that the receive buffer pool's user_data_size is at least 2 bytes when enabling segmentation via chan_ops.alloc_buf can prevent the out-of-bounds write.

Limiting BLE exposure to untrusted or unauthenticated peers and monitoring BLE traffic for suspicious activity may also reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5068. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart