CVE-2026-9263

The Zephyr Bluetooth controller ISO Adaptation Layer (subsys/bluetooth/controller/ll sw/isoal.c) fails to validate the length field of a framed ISO PDU start segment. Per the Bluetooth specification a start segment (sc=0) always carries a 3-byte time offset, so its segment-header len must be at least PDU ISO SEG TIMEOFFSET SIZE (3). isoal check seg header() accepted start segments with len < 3 as valid, and isoal rx framed consume() then computed length = seg hdr->len - 3 in a uint8 t, underflowing to 253-255 when len is 0-2. That oversized length is passed to isoal rx append to sdu(), whose copy is clamped only against the destination SDU buffer size, not the source PDU length, so up to ~255 bytes of controller memory beyond the received PDU are copied (via sink sdu write hci()/net buf add mem) into an HCI ISO data packet and delivered to the host. The PDU and its segment headers are entirely attacker-controlled and arrive over the air, reachable through both the CIS and BIS-sync HCI data paths (hci driver.c) and the vendor data path (ull iso.c), so a remote CIS peer or a broadcaster the device is synced to can trigger an out-of-bounds read causing information disclosure to the host and potential denial of service (faults or malformed oversized HCI ISO packets). The flaw affects all Zephyr releases since framed ISO reception was introduced in v3.0.0. The fix rejects sc=0 segments with len < 3 in isoal check seg header() and adds a guard before the subtraction in isoal rx framed consume().