Impact
Zephyr RTOS’s Bluetooth Classic Hands‑Free Profile (HFP) Hands‑Free role parser contains an out‑of‑bounds write when handling the AT+CIND: response from an Access Gateway. During Service Level Connection setup the HF parser calls cind_handle_values() on each indicator entry but fails to check that the calculated index is within the 20‑element ind_table array. A malicious or compromised peer can send more than twenty indicators, causing the parser to write past the array and corrupt adjacent data such as feature masks, SDP state, and the calls array. The resulting memory corruption can bring the Bluetooth host down or corrupt other internal structures, yielding at least a denial of service without any user interaction.
Affected Systems
Zephyr Project’s Zephyr RTOS, specifically the Bluetooth Classic Hands‑Free Profile implementation when CONFIG_BT_HFP_HF is enabled. The flaw was introduced in the initial HFP HF CIND parser around version 1.7 and exists in releases up to and including v4.4.0.
Risk and Exploitability
The CVSS score of 7.1 indicates a medium severity flaw, and the vulnerability is not listed in CISA’s KEV catalog. The absence of an EPSS score means no current estimate of exploitation frequency, but the defect can be triggered remotely over an open Bluetooth connection by a crafted Access Gateway using a single malformed AT message. Because the attack requires no user action and can occur on any device running the vulnerable Zephyr build, the risk remains significant for deployed systems that expose the Hands‑Free role.
OpenCVE Enrichment