CVE-2026-9263 - Vulnerability Details

- Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memory into host HCI ISO packets

Description

The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_header() accepted start segments with len < 3 as valid, and isoal_rx_framed_consume() then computed length = seg_hdr->len - 3 in a uint8_t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal_rx_append_to_sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink_sdu_write_hci()/net_buf_add_mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci_driver.c) and the vendor data path (ull_iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal_check_seg_header() and adds a guard before the subtraction in isoal_rx_framed_consume().

Published: 2026-06-30

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Zephyr Bluetooth controller ISO Adaptation Layer incorrectly treats the length field of a start segment as always valid, even when it is less than the required three bytes. The subtraction of three from an unsigned byte underflows, yielding an inflated length that is then used to copy up to 255 bytes of memory beyond the received packet into an HCI ISO data packet. The data copied is controlled by the attacker and can expose sensitive controller memory to the host, and the malformed packets can cause a crash or other denial‑of‑service behavior.

Affected Systems

Zephyr RTOS The vulnerability affects the Bluetooth controller implementation in Zephyr, and all releases that introduced framed ISO reception, namely versions starting with 3.0.0. It applies to any device running Zephyr with the default ISO AccInput Layer enabled, regardless of vendor customization.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate to high severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can trigger the flaw over the air via IEEE 802.15.1 CIS or BIS sync channels, as well as the vendor data path, without requiring privileged access on the device. By sending crafted ISO PDUs the attacker can read up to 255 bytes of adjacent memory, potentially leaking internal state or causing a crash. The remote nature of the attack vector and the absence of a required local privilege elevate the risk to operational environments that rely on Zephyr for Bluetooth connectivity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

zephyrproject

zephyr

unaffected

Version	Status	Constraints
`3.3.0`	affected	< 4.5.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Zephyr to a version that includes the fix committed in 28080d80fc8a, or apply the patch manually and rebuild the firmware.
Flash the updated firmware to all affected devices to ensure the source code change takes effect.
If a patch cannot be applied immediately, disable ISO data reception and transmission on the device to prevent construction of ISO PDUs that can trigger the flaw.

Generated by OpenCVE AI on June 30, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/zephyrproject-rtos/zephyr/commit/28080d80fc8aca30af1dfd1338bd4481b13c7395
https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-6gvp-pmh8-fjh2

History

Tue, 30 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 30 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_header() accepted start segments with len < 3 as valid, and isoal_rx_framed_consume() then computed length = seg_hdr->len - 3 in a uint8_t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal_rx_append_to_sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink_sdu_write_hci()/net_buf_add_mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci_driver.c) and the vendor data path (ull_iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal_check_seg_header() and adds a guard before the subtraction in isoal_rx_framed_consume().
Title		Out-of-bounds read in Bluetooth Controller ISOAL framed RX reassembly leaks adjacent memory into host HCI ISO packets
Weaknesses		CWE-125
References		https://github.com/zephyrproject-rtos/zephyr/commit/28080d80fc8aca30af1dfd1338bd4481b13c7395 https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-6gvp-pmh8-fjh2
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: zephyr

Published: 2026-06-30T16:01:34.339Z

Updated: 2026-06-30T16:40:43.968Z

Reserved: 2026-05-21T23:33:58.944Z

Link: CVE-2026-9263

Vulnrichment

Updated: 2026-06-30T16:40:39.072Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object