CVE-2026-9263
Received Received - Intake

Bluetooth ISOAL Length Validation Flaw in Zephyr

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Zephyr Project

Description
The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_header() accepted start segments with len < 3 as valid, and isoal_rx_framed_consume() then computed length = seg_hdr->len - 3 in a uint8_t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal_rx_append_to_sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink_sdu_write_hci()/net_buf_add_mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci_driver.c) and the vendor data path (ull_iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal_check_seg_header() and adds a guard before the subtraction in isoal_rx_framed_consume().

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-9263
EUVD
EUVD-2026-40366

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr From 3.0.0 (inc)
zephyrproject zephyr From 3.3.0 (inc) to 4.4.1 (inc)
zephyrproject zephyr 4.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9263 is a vulnerability in the Zephyr RTOS Bluetooth Controller ISO Adaptation Layer (ISOAL) that allows an adjacent attacker to trigger an out-of-bounds (OOB) read.

The issue occurs because the code fails to properly validate the length field of a framed ISO PDU start segment when the segment count (sc) is zero. Specifically, the function isoal_check_seg_header() accepted start segments with a length less than 3 bytes as valid, which is incorrect since a start segment must carry a 3-byte time_offset.

This improper validation leads to an integer underflow in isoal_rx_framed_consume(), causing the code to compute an oversized length and read beyond the intended buffer. As a result, up to approximately 255 bytes of adjacent controller memory are copied into an HCI ISO data packet and delivered to the host, potentially leaking sensitive memory contents.

The vulnerability is reachable remotely over Bluetooth by a CIS peer or a broadcaster the device is synced to, making it possible to cause information disclosure or denial of service.

Impact Analysis

This vulnerability can lead to information disclosure by leaking adjacent controller memory contents to the host via malformed Bluetooth ISO data packets.

Additionally, it can cause denial of service conditions due to faults or malformed oversized HCI ISO packets resulting from the out-of-bounds read.

Since the vulnerability is exploitable remotely over Bluetooth, an attacker within radio range can trigger these impacts without physical access.

Detection Guidance

This vulnerability involves malformed Bluetooth ISO PDU start segments with a segment-header length less than 3 bytes, which leads to out-of-bounds reads in the Zephyr Bluetooth controller ISO Adaptation Layer.

Detection would require monitoring Bluetooth ISO data packets for malformed segment headers, specifically start segments (sc=0) with length fields less than 3.

Since the vulnerability is triggered by malformed Bluetooth ISO packets arriving over the air, network detection could involve capturing Bluetooth traffic with tools like Bluetooth protocol analyzers (e.g., Wireshark with Bluetooth capture support) and inspecting ISO PDU segment headers for invalid lengths.

No specific commands or detection scripts are provided in the available resources.

Mitigation Strategies

The primary mitigation is to update the Zephyr RTOS Bluetooth controller to a patched version where the vulnerability is fixed.

  • Upgrade to Zephyr RTOS version 4.5.0 or later maintenance branches where the fix rejecting undersized segments with sc=0 has been applied.
  • If upgrading is not immediately possible, consider disabling Bluetooth Controller ISO support or framed ISO reception features to prevent exposure.

The fix involves strengthening validation in the segment header parsing logic to reject segments with length less than 3 when sc=0, preventing the out-of-bounds read.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart