CVE-2026-10660
Received Received - Intake

Buffer Overflow in Zephyr RTOS Bluetooth BAP Broadcast Assistant

Vulnerability report for CVE-2026-10660, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-11

Last updated on: 2026-07-11

Assigner: Zephyr Project

Description

The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assistant.c reassembled remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512 bytes) shared by all connection instances, while the BUSY flag, long-read handle, and reset/offset state were per-connection. When the device acts as a Broadcast Assistant connected to multiple Scan Delegator peripherals, notification and long-read callbacks from different connections interleave on the shared buffer: the append in notify_handler (net_buf_simple_add_mem at the not-busy branch) performs no tailroom check, so receive-state notifications from two or more delegators accumulate on the same 512-byte buffer and, with a sufficiently large configured ATT MTU (BT_L2CAP_TX_MTU up to 2000) and two-to-three concurrent connections, write past the buffer into adjacent .bss (net_buf_simple_add only asserts in debug builds). Even below the overflow threshold, one connection's net_buf_simple_reset zeroes the shared length while another connection's reassembly and GATT read offset are in flight, mixing one peer's data into another's parse. A malicious or compromised Scan Delegator (or two colluding peers) over BLE can trigger this, causing out-of-bounds writes (memory corruption / denial of service) and cross-connection data corruption. The fix moves the buffer into the per-connection instance struct so each connection reassembles into its own buffer. Affects Zephyr releases shipping the Broadcast Assistant with the shared buffer, including v4.4.0 and earlier.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-11
Last Modified
2026-07-11
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
zephyrproject zephyr From 3.6.0 (inc) to 4.4.0 (inc)
zephyrproject zephyr 4.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10660 is a vulnerability in the Zephyr RTOS Bluetooth Broadcast Assistant (BAP) where a single static buffer (att_buf) is shared across all connection instances to reassemble remote Broadcast Receive State data.

While some state flags and handles are managed per connection, the shared buffer allows notification and long-read callbacks from multiple connections to interleave and append data without checking available space. This can cause buffer overflows or data corruption when multiple Scan Delegator peripherals connect concurrently.

A malicious or compromised Scan Delegator can exploit this by sending crafted data over Bluetooth Low Energy (BLE), leading to out-of-bounds writes, memory corruption, denial of service, and cross-connection data corruption.

The vulnerability affects Zephyr versions from 3.6.0 to 4.4.0 and was fixed by moving the buffer into per-connection instances so each connection uses its own buffer.

Impact Analysis

This vulnerability can lead to memory corruption and denial of service on devices running affected Zephyr RTOS versions when acting as a Bluetooth Broadcast Assistant connected to multiple Scan Delegator peripherals.

An attacker controlling one or more Scan Delegators can cause out-of-bounds writes that corrupt memory, potentially crashing the device or causing unpredictable behavior.

Additionally, data from one connection can be mixed into another, leading to cross-connection data corruption which may compromise data integrity and confidentiality.

Detection Guidance

This vulnerability arises from the Bluetooth Broadcast Assistant (BAP) in Zephyr RTOS when connected to multiple Scan Delegator peripherals, causing memory corruption due to a shared buffer overflow. Detection involves monitoring Bluetooth Low Energy (BLE) connections for abnormal behavior such as unexpected crashes, memory corruption symptoms, or data corruption between connections.

Since the issue is related to the internal buffer management in the Zephyr Bluetooth stack, direct detection commands on the network or system are not explicitly provided in the available resources.

However, to investigate or detect this vulnerability, you might consider monitoring BLE traffic and connection states using tools like 'btmon' (Bluetooth monitor) on Linux systems to observe multiple concurrent Scan Delegator connections and any unusual notifications or long-read operations.

Additionally, debugging or logging within the Zephyr RTOS Bluetooth stack, especially around the Broadcast Assistant GATT client, could help identify buffer overflows or data corruption events.

Mitigation Strategies

The primary mitigation is to update the Zephyr RTOS to a version where the vulnerability is fixed. The issue is resolved by moving the shared reassembly buffer into a per-connection instance buffer, preventing cross-connection data corruption.

  • Upgrade Zephyr RTOS to version 4.5.0 or later, or apply backported fixes available in versions 4.3, 4.4, and 3.7 branches.
  • If upgrading immediately is not possible, limit the number of concurrent Scan Delegator connections to reduce the risk of buffer overflow.
  • Avoid using large ATT MTU sizes (close to 2000 bytes) in configurations until the fix is applied.

These steps help prevent exploitation by malicious or compromised Scan Delegators that could trigger out-of-bounds writes and memory corruption.

Compliance Impact

This vulnerability in the Zephyr RTOS Bluetooth Broadcast Assistant allows memory corruption and cross-connection data corruption due to a shared buffer being used for multiple connections. Such data corruption could potentially lead to unauthorized data exposure or denial of service.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the vulnerability's impact on confidentiality and integrity (as indicated by the CVSS score) suggests that if exploited, it could compromise sensitive data handled by devices using the affected software.

Therefore, organizations using affected versions of Zephyr RTOS in environments subject to regulations like GDPR or HIPAA should consider this vulnerability a risk to data protection and system availability, potentially affecting compliance if exploited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10660. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart