Description
SimpleBLE is a cross-platform library and bindings for Bluetooth Low Energy (BLE). Prior to version 0.14.0, there are multiple stack-based buffer overflow vulnerabilities in SimpleBLE. There is a stack overflow vulnerability in the dongl backend’s Protocol::simpleble_write function (local, caller-controlled input). A stack overflow vulnerability when processing manufacturer-specific data in BLE advertisements (remote, no pairing or connection required). Lastly, a stack overflow vulnerability when processing service data in BLE advertisements (remote, no pairing or connection required). This issue has been patched in version 0.14.0.
Published: 2026-06-09
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple stack-based buffer overflow vulnerabilities exist in SimpleBLE versions prior to 0.14.0. The vulnerabilities affect the dongl backend’s Protocol::simpleble_write function for local caller‑controlled input and also arise when processing manufacturer‑specific and service data in BLE advertisements, which can be triggered remotely without any pairing or connection. These overflows can allow an attacker to corrupt the stack and potentially execute arbitrary code, compromising confidentiality, integrity, and availability of the targeted system.

Affected Systems

The affected vendor and product are simpleble:simpleble. All releases before version 0.14.0 are vulnerable. Users who compile or link against any SimpleBLE library older than 0.14.0 are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, but the absence of a KEV listing does not reduce the likelihood of exploitation, especially because the BLE advertisement based vectors are remote and require no authentication. The known vulnerable functions can be targeted by simply broadcasting malicious BLE packets, making the attack path easy for attackers with Bluetooth hardware. The patch is available, so the risk can be mitigated by upgrading.

Generated by OpenCVE AI on June 10, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to SimpleBLE version 0.14.0 or later.
  • Rebuild the application to link against the updated library.
  • If upgrading immediately is not possible, replace or remove code that processes BLE manufacturer or service data from older SimpleBLE, or add input validation to limit buffer sizes.

Generated by OpenCVE AI on June 10, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description SimpleBLE is a cross-platform library and bindings for Bluetooth Low Energy (BLE). Prior to version 0.14.0, there are multiple stack-based buffer overflow vulnerabilities in SimpleBLE. There is a stack overflow vulnerability in the dongl backend’s Protocol::simpleble_write function (local, caller-controlled input). A stack overflow vulnerability when processing manufacturer-specific data in BLE advertisements (remote, no pairing or connection required). Lastly, a stack overflow vulnerability when processing service data in BLE advertisements (remote, no pairing or connection required). This issue has been patched in version 0.14.0.
Title Stack buffer overflows in SimpleBLE
Weaknesses CWE-121
CWE-787
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-09T23:59:31.113Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44634

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T01:16:27.080

Modified: 2026-06-10T01:16:27.080

Link: CVE-2026-44634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:18Z

Weaknesses