Description
A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.
Published: 2026-06-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed Bluetooth Classic Service Discovery Protocol attribute can trigger an assertion in Zephyr’s SDP parser. The parser consumes a 3‑byte header unconditionally and expects a fourth byte for the value type, so a truncated 3‑byte attribute reaches a net_buf_simple_pull() call with insufficient data. If assertions are enabled, this leads to a kernel panic, denying service to the device. If assertions are disabled, the parser may read past the buffer’s end, resulting in undefined behaviour and a potential data leak. This is a classic buffer handling flaw that can be exploited to crash the target or disclose memory contents.

Affected Systems

This affects Zephyr, the real‑time operating system developed by zephyrproject‑rtos. Any Zephyr build that includes Bluetooth Classic functionality and does not apply the upstream patch is susceptible. The specific vulnerable code is the SDP parser in subsys/bluetooth/host/classic/sdp.c, triggered via any SDP packet that contains a malformed attribute string sent to the device.

Risk and Exploitability

The issue has a CVSS score of 7.1, indicating moderate risk. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified, and the KEV catalog does not list it as known exploited. The vulnerability is remote in that it requires an attacker to send a specially crafted SDP attribute over Bluetooth Classic, which a nearby device can do without authentication. Based on the description, it is inferred that the attacker must establish a Bluetooth connection and transmit the truncated attribute; successful exploitation will cause either a crash or an out‑of‑bounds read.

Generated by OpenCVE AI on June 23, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zephyr operating system to a patch release that fixes the SDP parsing bug; the relevant changes are documented in the Zephyr GitHub advisory GHSA-p93g-3r68-cj53.
  • If immediate patching is not feasible, disable or drop support for Bluetooth Classic SDP in the application, or block reception of untrusted SDP packets via a firewall or custom filtering code.
  • Consider disabling assertions in builds only as a temporary measure; note that this does not eliminate the out‑of‑bounds read and may still expose memory contents, so it is not a long‑term solution.

Generated by OpenCVE AI on June 23, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.
Title Bluetooth Classic SDP parser truncation bug in bt_sdp_parse_attribute() leads to reachable assertion and possible out-of-bounds read
Weaknesses CWE-20
CWE-617
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-22T23:54:36.070Z

Reserved: 2026-06-02T15:24:24.388Z

Link: CVE-2026-10651

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T02:30:16Z

Weaknesses