CVE-2026-9263: bounds in zephyrproject zephyr
The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_header() accepted start segments with len < 3 as valid, and isoal_rx_framed_consume() then computed length = seg_hdr->len - 3 in a uint8_t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal_rx_append_to_sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink_sdu_write_hci()/net_buf_add_mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci_driver.c) and the vendor data path (ull_iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal_check_seg_header() and adds a guard before the subtraction in isoal_rx_framed_consume().
AI Analysis
Technical Summary
CVE-2026-9263 is a vulnerability in the Zephyr Bluetooth controller ISO Adaptation Layer (isoal.c) where the length field of a framed ISO PDU start segment is not properly validated. According to the Bluetooth specification, a start segment must have a segment-header length of at least 3 bytes. The function isoal_check_seg_header() incorrectly accepts start segments with length less than 3, causing isoal_rx_framed_consume() to underflow when computing length, resulting in an oversized length value (253-255). This oversized length is then used in isoal_rx_append_to_sdu() to copy memory beyond the received PDU, leading to an out-of-bounds read. The vulnerability can be triggered remotely by a Bluetooth peer or broadcaster via CIS and BIS-sync HCI data paths. The flaw affects all Zephyr releases since version 3.3.0 up to but not including 4.5.0. The fix rejects start segments with length less than 3 and adds a guard before subtraction to prevent underflow.
Potential Impact
An attacker controlling Bluetooth ISO PDU start segments can cause the Zephyr Bluetooth controller to read memory out-of-bounds and copy up to approximately 255 bytes beyond the intended buffer into HCI ISO data packets. This can lead to information disclosure to the host and potential denial of service through faults or malformed oversized packets. The vulnerability is exploitable remotely over the air via Bluetooth connections, affecting confidentiality and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has implemented a fix that rejects start segments with length less than 3 and adds bounds checking to prevent underflow. Users should monitor official Zephyr project advisories for updates and apply the fix once available. Until then, consider restricting or monitoring Bluetooth ISO data traffic from untrusted sources if feasible.
CVE-2026-9263: bounds in zephyrproject zephyr
Description
The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll_sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time_offset, so its segment-header len must be at least PDU_ISO_SEG_TIMEOFFSET_SIZE (3). isoal_check_seg_header() accepted start segments with len < 3 as valid, and isoal_rx_framed_consume() then computed length = seg_hdr->len - 3 in a uint8_t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal_rx_append_to_sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink_sdu_write_hci()/net_buf_add_mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci_driver.c) and the vendor data path (ull_iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal_check_seg_header() and adds a guard before the subtraction in isoal_rx_framed_consume().
CVSS v3.1
Score 6.5medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9263 is a vulnerability in the Zephyr Bluetooth controller ISO Adaptation Layer (isoal.c) where the length field of a framed ISO PDU start segment is not properly validated. According to the Bluetooth specification, a start segment must have a segment-header length of at least 3 bytes. The function isoal_check_seg_header() incorrectly accepts start segments with length less than 3, causing isoal_rx_framed_consume() to underflow when computing length, resulting in an oversized length value (253-255). This oversized length is then used in isoal_rx_append_to_sdu() to copy memory beyond the received PDU, leading to an out-of-bounds read. The vulnerability can be triggered remotely by a Bluetooth peer or broadcaster via CIS and BIS-sync HCI data paths. The flaw affects all Zephyr releases since version 3.3.0 up to but not including 4.5.0. The fix rejects start segments with length less than 3 and adds a guard before subtraction to prevent underflow.
Potential Impact
An attacker controlling Bluetooth ISO PDU start segments can cause the Zephyr Bluetooth controller to read memory out-of-bounds and copy up to approximately 255 bytes beyond the intended buffer into HCI ISO data packets. This can lead to information disclosure to the host and potential denial of service through faults or malformed oversized packets. The vulnerability is exploitable remotely over the air via Bluetooth connections, affecting confidentiality and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has implemented a fix that rejects start segments with length less than 3 and adds bounds checking to prevent underflow. Users should monitor official Zephyr project advisories for updates and apply the fix once available. Until then, consider restricting or monitoring Bluetooth ISO data traffic from untrusted sources if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- zephyr
- Date Reserved
- 2026-05-21T23:33:58.944Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43f43227e9c797191862b4
Added to database: 06/30/2026, 16:52:02 UTC
Last enriched: 06/30/2026, 17:07:05 UTC
Last updated: 06/30/2026, 17:39:26 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.