CVE-2026-10651: Improper Input Validation in zephyrproject-rtos Zephyr
CVE-2026-10651 is a high-severity vulnerability in the Zephyr RTOS Bluetooth Classic SDP parser. It arises from improper input validation where a truncated SDP attribute causes an assertion failure or out-of-bounds read. This can lead to a kernel panic (denial of service) in assert-enabled builds or undefined behavior in others. The issue affects Zephyr versions up to and including 4.4.0.
AI Analysis
Technical Summary
The vulnerability occurs in the function bt_sdp_parse_attribute() within Zephyr's Bluetooth Classic SDP parser. The function expects an input buffer containing at least 4 bytes (1-byte attribute type, 2-byte attribute ID, and 1-byte value type). However, it unconditionally reads the value type byte without verifying its presence. If the input is truncated to only 3 bytes, the function calls net_buf_simple_pull() with insufficient buffer length, triggering an assertion failure (__ASSERT_NO_MSG) and causing a kernel panic in builds with assertions enabled. In builds without assertions, the parser may read beyond the buffer boundary, resulting in undefined behavior. This vulnerability can be triggered by a malformed Bluetooth Classic SDP attribute, leading to denial of service or memory safety issues.
Potential Impact
Exploitation of this vulnerability can cause a denial of service via a kernel panic in assert-enabled builds of Zephyr. In builds without assertions, it may lead to out-of-bounds memory reads and undefined behavior, potentially compromising system stability or security. The confidentiality impact is limited (partial information disclosure possible), integrity is not impacted, but availability is severely affected due to the denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling Bluetooth Classic SDP parsing if feasible or apply any vendor-recommended temporary mitigations. Monitor the official Zephyr project advisories for updates and apply official fixes once released.
CVE-2026-10651: Improper Input Validation in zephyrproject-rtos Zephyr
Description
CVE-2026-10651 is a high-severity vulnerability in the Zephyr RTOS Bluetooth Classic SDP parser. It arises from improper input validation where a truncated SDP attribute causes an assertion failure or out-of-bounds read. This can lead to a kernel panic (denial of service) in assert-enabled builds or undefined behavior in others. The issue affects Zephyr versions up to and including 4.4.0.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability occurs in the function bt_sdp_parse_attribute() within Zephyr's Bluetooth Classic SDP parser. The function expects an input buffer containing at least 4 bytes (1-byte attribute type, 2-byte attribute ID, and 1-byte value type). However, it unconditionally reads the value type byte without verifying its presence. If the input is truncated to only 3 bytes, the function calls net_buf_simple_pull() with insufficient buffer length, triggering an assertion failure (__ASSERT_NO_MSG) and causing a kernel panic in builds with assertions enabled. In builds without assertions, the parser may read beyond the buffer boundary, resulting in undefined behavior. This vulnerability can be triggered by a malformed Bluetooth Classic SDP attribute, leading to denial of service or memory safety issues.
Potential Impact
Exploitation of this vulnerability can cause a denial of service via a kernel panic in assert-enabled builds of Zephyr. In builds without assertions, it may lead to out-of-bounds memory reads and undefined behavior, potentially compromising system stability or security. The confidentiality impact is limited (partial information disclosure possible), integrity is not impacted, but availability is severely affected due to the denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, users should consider disabling Bluetooth Classic SDP parsing if feasible or apply any vendor-recommended temporary mitigations. Monitor the official Zephyr project advisories for updates and apply official fixes once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-06-02T15:24:24.388Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a39d22ceed863c81e9d9253
Added to database: 06/23/2026, 00:24:12 UTC
Last enriched: 06/23/2026, 00:39:10 UTC
Last updated: 06/23/2026, 01:02:13 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.