Description
SimpleBLE is a cross-platform library and bindings for Bluetooth Low Energy (BLE). Prior to version 0.14.0, there are multiple stack-based buffer overflow vulnerabilities in SimpleBLE. There is a stack overflow vulnerability in the dongl backend’s Protocol::simpleble_write function (local, caller-controlled input). A stack overflow vulnerability when processing manufacturer-specific data in BLE advertisements (remote, no pairing or connection required). Lastly, a stack overflow vulnerability when processing service data in BLE advertisements (remote, no pairing or connection required). This issue has been patched in version 0.14.0.
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Multiple stack-based buffer overflow vulnerabilities exist in SimpleBLE versions prior to 0.14.0. The vulnerabilities affect the dongl backend’s Protocol::simpleble_write function for local caller‑controlled input and also arise when processing manufacturer‑specific and service data in BLE advertisements, which can be triggered remotely without any pairing or connection. These overflows can allow an attacker to corrupt the stack and potentially execute arbitrary code, compromising confidentiality, integrity, and availability of the targeted system.

Affected Systems

The affected vendor and product are simpleble:simpleble. All releases before version 0.14.0 are vulnerable. Users who compile or link against any SimpleBLE library older than 0.14.0 are at risk.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity vulnerability. The EPSS score is not available, but the absence of a KEV listing does not reduce the likelihood of exploitation, especially because the BLE advertisement based vectors are remote and require no authentication. The known vulnerable functions can be targeted by simply broadcasting malicious BLE packets, making the attack path easy for attackers with Bluetooth hardware. The patch is available, so the risk can be mitigated by upgrading.

Generated by OpenCVE AI on June 10, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to SimpleBLE version 0.14.0 or later.
  • Rebuild the application to link against the updated library.
  • If upgrading immediately is not possible, replace or remove code that processes BLE manufacturer or service data from older SimpleBLE, or add input validation to limit buffer sizes.

Generated by OpenCVE AI on June 10, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Simpleble
Simpleble simpleble
Vendors & Products Simpleble
Simpleble simpleble

Wed, 10 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Description SimpleBLE is a cross-platform library and bindings for Bluetooth Low Energy (BLE). Prior to version 0.14.0, there are multiple stack-based buffer overflow vulnerabilities in SimpleBLE. There is a stack overflow vulnerability in the dongl backend’s Protocol::simpleble_write function (local, caller-controlled input). A stack overflow vulnerability when processing manufacturer-specific data in BLE advertisements (remote, no pairing or connection required). Lastly, a stack overflow vulnerability when processing service data in BLE advertisements (remote, no pairing or connection required). This issue has been patched in version 0.14.0.
Title Stack buffer overflows in SimpleBLE
Weaknesses CWE-121
CWE-787
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Simpleble Simpleble
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T13:04:52.348Z

Reserved: 2026-05-07T15:30:10.875Z

Link: CVE-2026-44634

cve-icon Vulnrichment

Updated: 2026-06-10T13:04:46.201Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T01:16:27.080

Modified: 2026-06-10T20:19:06.020

Link: CVE-2026-44634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:26Z

Weaknesses