CVE-2026-5589
Awaiting Analysis Awaiting Analysis - Queue
Bluetooth Mesh Out-of-Bounds Write via Integer Underflow

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: Zephyr Project

Description
An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. When reported_len is less than 3, the subtraction is performed in signed int arithmetic and yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, so subsequent reads dereference invalid memory. A nearby BLE device can trigger this with a non-connectable advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing or prior association required, potentially leading to denial of service or arbitrary code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-06-26
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-24
NVD
CVE-2026-5589
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr *
zephyrproject zephyr to 4.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5589 is an out-of-bounds write vulnerability caused by an integer underflow in the Bluetooth Mesh solicitation handling function bt_mesh_sol_recv() in the Zephyr RTOS. When the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV configuration is enabled, the function parses BLE advertisement payloads and reads an attacker-controlled length byte called reported_len. If reported_len is less than 3, subtracting 3 results in a negative value that bypasses length checks and is implicitly converted to a very large unsigned integer. This causes the buffer pointer to advance far beyond its valid range, leading to out-of-bounds memory access.

In builds without assertions, this results in the buffer length wrapping around and the data pointer moving approximately 4GB forward, pointing to invalid memory. Subsequent reads from this invalid memory can cause arbitrary code execution or denial of service. The vulnerability can be triggered by a nearby BLE device sending a crafted non-connectable advertisement with a UUID16 AD structure and a malicious length byte, without requiring pairing or prior association.

Impact Analysis

This vulnerability can lead to serious security impacts including denial of service (DoS) and arbitrary code execution on devices running vulnerable versions of the Zephyr RTOS Bluetooth Mesh subsystem.

  • Denial of Service: The out-of-bounds write can cause the system to crash or become unresponsive.
  • Arbitrary Code Execution: An attacker can exploit the invalid memory access to execute malicious code remotely.
  • No pairing or prior association is required, so any nearby BLE device can trigger the vulnerability.
Detection Guidance

This vulnerability is triggered by a nearby BLE device sending a non-connectable advertisement with a crafted UUID16 AD structure and a malicious length byte. Detection involves monitoring Bluetooth Low Energy (BLE) advertising packets for abnormal or malformed AD structures, especially those with length bytes less than 3 in solicitation PDUs.

You can use BLE scanning tools to capture and analyze advertising packets. For example, using Linux's 'hcitool' or 'bluetoothctl' to scan BLE devices, or more advanced tools like 'btmon' or 'Wireshark' with BLE capture capabilities, to inspect the raw advertising payloads for suspicious length fields.

  • Use 'sudo btmon' to monitor BLE traffic and look for UUID16 AD structures with length fields less than 3.
  • Use 'sudo hcitool lescan' to discover nearby BLE devices and then 'sudo hcidump --raw' or 'sudo hcidump --raw -i hciX' (replace hciX with your interface) to capture raw advertising data for analysis.
  • Analyze captured BLE advertising packets in Wireshark, filtering for Bluetooth Low Energy advertising PDUs and inspecting the AD length fields for values less than 3.
Mitigation Strategies

Immediate mitigation involves disabling the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV configuration option in Zephyr builds if it is enabled, as this feature is directly involved in the vulnerability.

Additionally, restrict or monitor BLE advertising traffic from untrusted or unknown devices to prevent malicious advertisements from reaching vulnerable systems.

Since no patched versions are currently available, consider applying custom patches or workarounds to add proper bounds checking on the reported_len field in the bt_mesh_sol_recv() function to prevent integer underflow.

Ensure that assertions (CONFIG_ASSERT) are enabled in builds to help catch such issues during development and testing.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5589. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart