Wxzzzzzzz

**Name of the Vulnerable Software and Affected Versions** Bluetooth Mesh (affected versions not specified) **Description** An integer underflow occurs in the `bt mesh sol recv()` function within the Bluetooth Mesh solicitation handling. When `CONFIG BT MESH OD PRIV PROXY SRV` is enabled, the function parses solicitation Protocol Data Units (PDUs) from raw BLE advertising payloads. The parsing loop reads an attacker-controlled length byte `reported len` and calculates `reported len - 3` without verifying that `reported len` is at least 3. If `reported len` is less than 3, the resulting negative value bypasses length guards and is converted to a large `size t` when passed to `net buf simple pull mem()`. In builds without assertions, this causes the data pointer to advance out of bounds, leading to invalid memory dereferences. A nearby BLE device can trigger this using a non-connectable advertisement with a UUID16 AD structure and a crafted length byte without requiring pairing or association, which may result in denial of service or arbitrary code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.