PT-2026-53913 · Zephyr · Zephyr

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-10654

CVSS v3.1

3.1

Low

VectorAV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Zephyr versions prior to 4.4.0
Description A race condition exists in the Bluetooth Classic RFCOMM host stack within the subsys/bluetooth/host/classic/rfcomm.c file. The issue occurs during a simultaneous bidirectional session disconnect when a local device initiates a teardown and the connected peer concurrently sends its own disconnect frame for dlci 0. In this scenario, the rfcomm handle disc() function calls rfcomm session disconnected(), which forces the session state to BT RFCOMM STATE DISCONNECTED without calling bt l2cap chan disconnect() to release the underlying L2CAP channel.
This results in the session slot in the bt rfcomm pool array not being reclaimed, causing the session to become permanently wedged. Consequently, subsequent bt rfcomm dlc connect() calls fail, denying RFCOMM service for that peer. Repeated occurrences can lead to the exhaustion of the session pool, impacting system availability through a resource leak.
Recommendations Update to a version newer than 4.4.0.

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10654

Affected Products

Zephyr