CVE-2025-12035 is an integer overflow vulnerability identified in the Zephyr RTOS Bluetooth Host stack, specifically in the bt_br_acl_recv routine responsible for processing inbound Basic Rate/Enhanced Data Rate (BR/EDR) Logical Link Control and Adaptation Protocol (L2CAP) traffic. The vulnerability arises from improper handling of integer values, leading to an overflow or wraparound condition. This flaw can cause memory corruption or unexpected behavior, resulting in a denial of service (DoS) by crashing the Bluetooth stack or the entire device. The vulnerability is exploitable remotely over Bluetooth without requiring any authentication or user interaction, increasing the risk profile. The CVSS v3.1 score is 6.5 (medium severity), reflecting the high impact on availability but no direct impact on confidentiality or integrity. Zephyr RTOS is an open-source real-time operating system widely used in embedded systems and IoT devices, including industrial controllers, automotive systems, and consumer electronics. Since all versions are affected, devices running any version of Zephyr are potentially vulnerable. No public exploits have been reported yet, but the ease of remote exploitation over Bluetooth makes this a significant concern for embedded device security.

For European organizations, the primary impact of CVE-2025-12035 is the potential for denial of service on devices running Zephyr RTOS with Bluetooth BR/EDR capabilities. This can disrupt critical embedded systems in industrial automation, automotive telematics, smart city infrastructure, and consumer IoT devices. The availability disruption could lead to operational downtime, safety risks in automotive or industrial environments, and increased maintenance costs. Since Zephyr is used in safety-critical and mission-critical applications, even temporary outages can have significant consequences. The lack of confidentiality or integrity impact reduces the risk of data breaches, but service interruptions can affect business continuity and safety compliance. European sectors with heavy reliance on embedded Bluetooth-enabled devices are particularly vulnerable, especially where remote physical access is limited and Bluetooth is the primary communication channel.

1. Monitor Zephyr project communications and apply official patches promptly once released to address CVE-2025-12035. 2. Implement strict input validation and boundary checks in the Bluetooth stack to prevent integer overflow conditions. 3. Employ Bluetooth traffic filtering and segmentation to limit exposure to untrusted devices, especially in industrial and automotive environments. 4. Disable BR/EDR Bluetooth functionality on devices where it is not required to reduce attack surface. 5. Conduct thorough testing and fuzzing of Bluetooth input handling routines to detect similar vulnerabilities proactively. 6. Use network segmentation and access controls to isolate vulnerable embedded devices from critical infrastructure. 7. Maintain up-to-date asset inventories to identify all Zephyr-based devices and prioritize remediation efforts. 8. Educate operational technology (OT) and embedded system teams about the risks of Bluetooth vulnerabilities and best practices for secure configuration.