Description
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.
Published: 2026-06-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing length validation in the Zephyr Bluetooth Host ISO receive pathway allows an attacker to send malformed HCI ISO data that passes the outer payload check but causes a kernel assertion or out‑of‑bounds read when the inner SDU header is extracted. The bug is triggered when bt_iso_recv() processes START/SINGLE fragments and pulls an 8‑byte or 4‑byte header without first confirming that the buffer contains at least that many bytes. The resulting assertion in assert‑enabled builds or buffer under‑read in other builds deterministically crashes the kernel, providing a clear‑cut denial‑of‑service vector with no direct code execution.

Affected Systems

The vulnerability impacts any system running the Zephyr RTOS Bluetooth Host stack with CONFIG_BT_ISO_RX enabled, including all zephyrproject‑rtos:Zephyr products that accept incoming ISO HCI traffic. No specific patch level is listed, so any build containing the unpatched host code remains vulnerable.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high severity DoS. The EPSS score is not available, and the issue is not catalogued in the CISA KEV list. The likely attack vector is a malicious or compromised Bluetooth controller or an attacker who can inject crafted ISO packets within range of the target device. Because the flaw only manifests when the controller sends data, proximity to the targeted device is required. There is no privilege escalation or information disclosure associated with the exploitation path, but the severity of the crash and the ease of triggering it by sending a single malformed packet makes it a serious operational risk.

Generated by OpenCVE AI on June 23, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zephyr RTOS to a release that includes the fix for the ISO receive length validation
  • If an upgrade is not possible, disable ISO reception by setting CONFIG_BT_ISO_RX=n in the build configuration to remove the vulnerable code path
  • For builds that must retain ISO RX functionality, enable kernel assertions or insert additional checks that verify the inner buffer length before pulling the SDU header

Generated by OpenCVE AI on June 23, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Tue, 23 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.
Title Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

Subscriptions

Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-22T23:58:47.022Z

Reserved: 2026-06-02T15:24:35.422Z

Link: CVE-2026-10658

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T02:30:16Z

Weaknesses

No weakness.