CVE-2024-7137 is a medium severity vulnerability classified as CWE-787 (Out-of-bounds Write) affecting the RS9116 Bluetooth SDK developed by silabs.com. The vulnerability arises in the handling of L2CAP (Logical Link Control and Adaptation Protocol) receive data buffers. Specifically, the SDK restricts the buffer size for incoming L2CAP packets to be smaller than the maximum supported packet size. However, if a packet exceeding this restricted buffer length is received, it can cause an out-of-bounds write condition. This memory corruption leads to a crash of the device running the vulnerable SDK, requiring a hard reset to recover. The CVSS v3.1 base score is 6.5, reflecting a medium severity with the vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating the attack requires adjacent network access, no privileges or user interaction, and impacts availability only. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects version 0 of the RS9116 Bluetooth SDK, which is used in embedded Bluetooth modules and IoT devices that rely on Silabs’ wireless connectivity solutions. The root cause is insufficient bounds checking on L2CAP packet sizes, a critical protocol layer in Bluetooth communications, which can be exploited by sending specially crafted oversized L2CAP packets to cause denial of service via device crashes.

For European organizations deploying devices or systems using the RS9116 Bluetooth SDK, this vulnerability poses a risk of denial of service (DoS) attacks. The impact is primarily on availability, as the affected devices will crash and require a hard reset, potentially disrupting critical operations. This is particularly concerning for industries relying on embedded Bluetooth modules for automation, industrial control, healthcare devices, or smart infrastructure, where device downtime can lead to operational delays, safety risks, or financial losses. Since the attack vector requires adjacent network access (e.g., Bluetooth proximity), attackers need to be physically near the target device, which somewhat limits remote exploitation but does not eliminate risk in public or semi-public environments. The lack of required privileges or user interaction lowers the barrier for exploitation by nearby attackers. European organizations with IoT deployments, smart manufacturing, or medical device usage incorporating Silabs RS9116 modules should be aware of potential disruptions and plan accordingly.

1. Monitor silabs.com and official channels for patches or firmware updates addressing CVE-2024-7137 and apply them promptly once available. 2. Implement network segmentation and access controls to limit Bluetooth connectivity exposure, especially in sensitive environments. 3. Employ Bluetooth device whitelisting and authentication mechanisms to restrict connections to trusted devices only. 4. Conduct regular device inventory and firmware version audits to identify affected RS9116 SDK deployments. 5. Where feasible, disable or restrict Bluetooth functionality on devices that do not require it to reduce attack surface. 6. For critical systems, consider deploying intrusion detection systems capable of monitoring anomalous Bluetooth traffic patterns indicative of oversized L2CAP packets. 7. Train operational staff to recognize and respond to device crashes potentially caused by this vulnerability, including procedures for safe hard resets and incident reporting. 8. Engage with Silabs support for guidance on interim mitigations or workarounds until official patches are released.