CVE-2026-5589: Out-of-bounds Write in zephyrproject-rtos Zephyr
CVE-2026-5589 is an integer underflow vulnerability in the Zephyr RTOS Bluetooth Mesh solicitation handling code. It occurs when parsing Bluetooth Low Energy (BLE) advertising payloads with a crafted length byte that is less than 3, causing an out-of-bounds write. This can be triggered by a nearby BLE device without pairing or prior association. The vulnerability may lead to denial of service or arbitrary code execution due to invalid memory dereferences.
AI Analysis
Technical Summary
The vulnerability exists in the function bt_mesh_sol_recv() within Zephyr's Bluetooth Mesh solicitation subsystem. When the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV configuration is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and subtracts 3 without verifying that reported_len is at least 3. If reported_len is less than 3, the subtraction underflows as a signed integer, resulting in a large size_t value when passed to net_buf_simple_pull_mem(). This causes the buffer pointer to advance far out of bounds, leading to subsequent invalid memory reads. An attacker can exploit this by sending a non-connectable BLE advertisement with a crafted UUID16 AD structure and length byte, potentially causing denial of service or arbitrary code execution.
Potential Impact
A nearby attacker can trigger this vulnerability without any pairing or prior association by sending a specially crafted BLE advertisement. The out-of-bounds write and subsequent invalid memory dereference can cause denial of service or enable arbitrary code execution within the affected Zephyr RTOS Bluetooth Mesh component.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV feature if feasible to mitigate exposure. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2026-5589: Out-of-bounds Write in zephyrproject-rtos Zephyr
Description
CVE-2026-5589 is an integer underflow vulnerability in the Zephyr RTOS Bluetooth Mesh solicitation handling code. It occurs when parsing Bluetooth Low Energy (BLE) advertising payloads with a crafted length byte that is less than 3, causing an out-of-bounds write. This can be triggered by a nearby BLE device without pairing or prior association. The vulnerability may lead to denial of service or arbitrary code execution due to invalid memory dereferences.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the function bt_mesh_sol_recv() within Zephyr's Bluetooth Mesh solicitation subsystem. When the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV configuration is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and subtracts 3 without verifying that reported_len is at least 3. If reported_len is less than 3, the subtraction underflows as a signed integer, resulting in a large size_t value when passed to net_buf_simple_pull_mem(). This causes the buffer pointer to advance far out of bounds, leading to subsequent invalid memory reads. An attacker can exploit this by sending a non-connectable BLE advertisement with a crafted UUID16 AD structure and length byte, potentially causing denial of service or arbitrary code execution.
Potential Impact
A nearby attacker can trigger this vulnerability without any pairing or prior association by sending a specially crafted BLE advertisement. The out-of-bounds write and subsequent invalid memory dereference can cause denial of service or enable arbitrary code execution within the affected Zephyr RTOS Bluetooth Mesh component.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling the CONFIG_BT_MESH_OD_PRIV_PROXY_SRV feature if feasible to mitigate exposure. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-04-05T02:52:29.084Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a21e829e29bf47b50d078f2
Added to database: 6/4/2026, 9:03:37 PM
Last enriched: 6/4/2026, 9:19:23 PM
Last updated: 6/4/2026, 11:29:12 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.