A remote, unauthenticated BLE peer can trigger an out‑of‑bounds write by sending a specially crafted L2CAP LE CoC segmentation counter. When segmentation is enabled via chan_ops.alloc_buf and the selected receive buffer pool has a user_data_size smaller than two bytes, the segmentation counter stored in the net_buf user_data area is written beyond its bounds in l2cap_chan_le_recv_seg. The result is heap corruption that causes a fatal error or, under AddressSanitizer, an abort. This memory corruption could allow an attacker to crash the Bluetooth host or, if the attacker can control the overwritten data, could potentially lead to code execution.

The flaw affects the Zephyr RTOS project. Any Zephyr build that enables L2CAP LE CoC segmentation and uses a receive buffer pool with a user_data_size less than two bytes is potentially vulnerable. Builds that do not enable segmentation or that use a pool with a larger user_data_size are not impacted. No specific release versions are listed in the advisory, so the vulnerability may exist in current Zephyr releases that match this configuration.

The CVSS score of 7.6 indicates a high severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers only need an unauthenticated remote BLE peer capable of initiating a CoC connection to craft a packet that triggers the overflow. The vulnerability is exploitable before authentication of the BLE link, so an untrusted device can reliably cause the overflow. Because the write corrupts the heap, the actual exploitability depends on memory layout; it can produce a denial of service or, in some scenarios, allow arbitrary code execution if the attacker can control the overwritten data.