PT-2026-57480 · Zephyr · Zephyr

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-10660

CVSS v3.1

6.4

Medium

VectorAV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Name of the Vulnerable Software and Affected Versions Zephyr versions prior to 4.4.0
Description The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap broadcast assistant.c uses a single file-static net buf simple buffer (att buf) shared across all connection instances to reassemble remote Broadcast Receive State data. While the BUSY flag and read offsets are per-connection, the shared buffer leads to interleaving of notification and long-read callbacks when the device is connected to multiple Scan Delegator peripherals.
Because the notify handler function uses net buf simple add mem without performing a tailroom check, data from multiple delegators can accumulate and exceed the 512-byte buffer limit, especially with a large ATT MTU. This allows a malicious or compromised Scan Delegator to trigger out-of-bounds writes, resulting in memory corruption or denial of service. Additionally, if one connection resets the shared buffer while another is still reassembling data, it can lead to cross-connection data corruption.
Recommendations Update Zephyr to a version later than 4.4.0.

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10660

Affected Products

Zephyr