PT-2026-53913 · Zephyr · Zephyr
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-10654
CVSS v3.1
3.1
Low
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
Zephyr versions prior to 4.4.0
Description
A race condition exists in the Bluetooth Classic RFCOMM host stack within the
subsys/bluetooth/host/classic/rfcomm.c file. The issue occurs during a simultaneous bidirectional session disconnect when a local device initiates a teardown and the connected peer concurrently sends its own disconnect frame for dlci 0. In this scenario, the rfcomm handle disc() function calls rfcomm session disconnected(), which forces the session state to BT RFCOMM STATE DISCONNECTED without calling bt l2cap chan disconnect() to release the underlying L2CAP channel.This results in the session slot in the
bt rfcomm pool array not being reclaimed, causing the session to become permanently wedged. Consequently, subsequent bt rfcomm dlc connect() calls fail, denying RFCOMM service for that peer. Repeated occurrences can lead to the exhaustion of the session pool, impacting system availability through a resource leak.Recommendations
Update to a version newer than 4.4.0.
Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zephyr