Description
Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zephyr RTOS’s Bluetooth Classic Hands‑Free Profile (HFP) Hands‑Free role parser contains an out‑of‑bounds write when handling the AT+CIND: response from an Access Gateway. During Service Level Connection setup the HF parser calls cind_handle_values() on each indicator entry but fails to check that the calculated index is within the 20‑element ind_table array. A malicious or compromised peer can send more than twenty indicators, causing the parser to write past the array and corrupt adjacent data such as feature masks, SDP state, and the calls array. The resulting memory corruption can bring the Bluetooth host down or corrupt other internal structures, yielding at least a denial of service without any user interaction.

Affected Systems

Zephyr Project’s Zephyr RTOS, specifically the Bluetooth Classic Hands‑Free Profile implementation when CONFIG_BT_HFP_HF is enabled. The flaw was introduced in the initial HFP HF CIND parser around version 1.7 and exists in releases up to and including v4.4.0.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium severity flaw, and the vulnerability is not listed in CISA’s KEV catalog. The absence of an EPSS score means no current estimate of exploitation frequency, but the defect can be triggered remotely over an open Bluetooth connection by a crafted Access Gateway using a single malformed AT message. Because the attack requires no user action and can occur on any device running the vulnerable Zephyr build, the risk remains significant for deployed systems that expose the Hands‑Free role.

Generated by OpenCVE AI on June 18, 2026 at 11:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit cf7693a8261ae363c9cf46cfd51005486637173e or upgrade Zephyr to a release that includes this guard (e.g., v4.4.1 or later)
  • If the Hands‑Free Profile is not required, disable CONFIG_BT_HFP_HF in the Zephyr configuration
  • Verify that the device’s Bluetooth stack does not accept unsolicited HFP connections and consider limiting pairing or authentication to reduce exposure

Generated by OpenCVE AI on June 18, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject
Zephyrproject zephyr
Vendors & Products Zephyrproject
Zephyrproject zephyr
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf-ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indicator_handle_values() already performed the equivalent bounds check; this commit adds the same index = ARRAY_SIZE(hf-ind_table) guard to close the gap. Affects builds with CONFIG_BT_HFP_HF enabled; introduced with the original HFP HF CIND parser (~v1.7) and present through v4.4.0.
Title Out-of-bounds write in Bluetooth HFP Hands-Free CIND indicator parsing (cind_handle_values)
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}


Subscriptions

Zephyrproject Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-17T15:00:13.802Z

Reserved: 2026-06-02T15:11:41.956Z

Link: CVE-2026-10641

cve-icon Vulnrichment

Updated: 2026-06-17T15:00:08.786Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:45:15Z

Weaknesses