The vulnerability in Zephyr's Bluetooth Host ISO receive path (bt_iso_recv() in subsys/bluetooth/host/iso.c) is due to missing validation of buffer length before pulling SDU headers from incoming HCI ISO data. When processing PB=START/SINGLE fragments, the code assumes the buffer contains enough bytes for either an 8-byte TS SDU header or a 4-byte non-TS SDU header without verifying this. Although the outer HCI ISO length check validates payload length consistency, it does not ensure the minimum inner SDU header size. Consequently, malformed ISO packets with minimal payload length can pass initial checks but cause net_buf_pull_mem() to assert on insufficient buffer length, leading to a deterministic kernel assert (denial of service) in assert-enabled builds. In builds without assertions, this can lead to out-of-bounds reads, potentially causing undefined behavior. This vulnerability affects Zephyr versions <=4.4.0 with CONFIG_BT_ISO_RX enabled, especially when incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.

The vulnerability can cause a denial of service via kernel assertion failure in assert-enabled builds of Zephyr. In non-assert builds, it may lead to out-of-bounds read behavior, which could cause memory corruption or crashes. The confidentiality impact is low, as the vulnerability does not directly expose data. Integrity impact is none, and availability impact is high due to the denial of service potential.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling CONFIG_BT_ISO_RX if feasible or restrict the ability of untrusted or compromised controllers to send malformed HCI ISO data. Monitor vendor channels for updates and apply patches promptly once released.