Description
An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. When reported_len is less than 3, the subtraction is performed in signed int arithmetic and yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, so subsequent reads dereference invalid memory. A nearby BLE device can trigger this with a non-connectable advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing or prior association required, potentially leading to denial of service or arbitrary code execution.
Published: 2026-06-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer underflow in bt_mesh_sol_recv() causes an out‑of‑bounds write during solicitation PDU parsing. The underflow allows an attacker to craft a length byte smaller than three, leading the code to compute a negative value that wraps into an enormous size_t when passed to net_buf_simple_pull_mem(). This causes the buffer pointer to advance beyond the allocated memory, resulting in invalid memory accesses that can be exploited for denial of service or arbitrary code execution. The vulnerability can be triggered by sending a non‑connectable BLE advertisement containing a crafted UUID16 AD structure, with no pairing or prior association required.

Affected Systems

Zephyr Project's Zephyr RTOS, specifically the Bluetooth Mesh sub‑system when CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled. No specific version ranges are listed in the advisory; the issue applies to any build including that configuration.

Risk and Exploitability

With no official CVSS score or EPSS value, the risk assessment relies on the severity implied by the potential for arbitrary code execution. The vulnerability is publicly known and exploited only via BLE advertisements, which are easily transmitted by any nearby BLE device. Because the attack does not require credentials or prior configuration, an attacker can affect any device running the affected Zephyr code. The lack of a KEV listing suggests current exploitation may not yet be widespread, but the theoretical impact warrants immediate attention.

Generated by OpenCVE AI on June 4, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Zephyr RTOS release that includes the bt_mesh solicitation underflow fix.
  • Disable the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV setting if the privacy‑proxy service is not required.
  • Apply kernel or network filters to block anomalous BLE advertisements that include suspicious length fields.
  • Rebuild Zephyr with assertions enabled to catch the underflow during development and testing.

Generated by OpenCVE AI on June 4, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Zephyrproject-rtos
Zephyrproject-rtos zephyr
Vendors & Products Zephyrproject-rtos
Zephyrproject-rtos zephyr

Thu, 04 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. When reported_len is less than 3, the subtraction is performed in signed int arithmetic and yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, so subsequent reads dereference invalid memory. A nearby BLE device can trigger this with a non-connectable advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing or prior association required, potentially leading to denial of service or arbitrary code execution.
Title Out-of-bounds write caused by an integer underflow in the Bluetooth Mesh subsystem.
Weaknesses CWE-787
References

Subscriptions

Zephyrproject-rtos Zephyr
cve-icon MITRE

Status: PUBLISHED

Assigner: zephyr

Published:

Updated: 2026-06-04T19:54:49.456Z

Reserved: 2026-04-05T02:52:29.084Z

Link: CVE-2026-5589

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T20:16:58.540

Modified: 2026-06-04T20:16:58.540

Link: CVE-2026-5589

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T21:30:23Z

Weaknesses