Description
The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields (interval, framing, phy, sdu, rtn, latency, pd) through the stream-qos pointer with only a stream != NULL guard. stream-qos is NULL for any stream that has been codec-configured via bt_bap_stream_config() but not yet added to a unicast group (it is set only by unicast_group_add_stream()). A malicious or buggy remote ASCS server, to which the local device is connected as a BAP unicast client, can send a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is still in the Codec Configured state — a transition the dispatcher explicitly permits — during that window, causing a write through a NULL pointer and a crash (denial of service). The data written is itself remote-controlled. The defect shipped in v4.3.0 and v4.4.0 (and earlier). The fix re-points all BAP QoS storage to the always-valid embedded ep-qos struct, eliminating the NULL dereference.
Published: 2026-06-28
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client contains a NULL‑pointer dereference that is triggered when a remote ASCS server sends a QoS Configured state notification while the local device is still in the Codec Configured state. The handler writes attacker‑controlled QoS fields through a stream‑qos pointer that may be NULL, causing a crash. This results in a denial‑of‑service condition and can potentially be exploited via crafted GATT notifications. The weakness is a classic NULL pointer dereference (CWE‑476).

Affected Systems

Zephyr project, specifically the Bluetooth LE Audio BAP unicast client component. The vulnerability exists in Zephyr releases 4.3.0, 4.4.0, and earlier versions that contain the original unicast_client_ep_qos_state routine.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating moderate severity, and is not listed in the CISA KEV catalog. No EPSS score is available, so exploitation probability is unknown. The attack vector is remote via BLE GATT notifications, requiring the local device to be connected as a BAP unicast client to a hostile or buggy ASCS server. An attacker can trigger the crash without privileged access and would cause the device to reset or become inoperable until remedied.

Generated by OpenCVE AI on June 28, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zephyr source to include the commit that fixes the NULL‑pointer dereference (52f25c903f2926cb1281b50fd79654668e2d483f).
  • If an upgrade is not immediately possible, restrict the Bluetooth LE Audio unicast client to trusted peers or block QoS‑Configured GATT notifications until the stream is added to a unicast group.
  • Consider disabling the QoS state handling in the BAP unicast client configuration as a temporary workaround until an official patch is applied.

Generated by OpenCVE AI on June 28, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields (interval, framing, phy, sdu, rtn, latency, pd) through the stream-qos pointer with only a stream != NULL guard. stream-qos is NULL for any stream that has been codec-configured via bt_bap_stream_config() but not yet added to a unicast group (it is set only by unicast_group_add_stream()). A malicious or buggy remote ASCS server, to which the local device is connected as a BAP unicast client, can send a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is still in the Codec Configured state — a transition the dispatcher explicitly permits — during that window, causing a write through a NULL pointer and a crash (denial of service). The data written is itself remote-controlled. The defect shipped in v4.3.0 and v4.4.0 (and earlier). The fix re-points all BAP QoS storage to the always-valid embedded ep-qos struct, eliminating the NULL dereference.
Title Remotely triggerable NULL-pointer dereference in Bluetooth LE Audio BAP unicast client QoS-state handling
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-28T04:28:22.888Z

Reserved: 2026-06-01T21:19:25.050Z

Link: CVE-2026-10593

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T06:30:04Z

Weaknesses