PT-2026-57480 · Zephyr · Zephyr
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-10660
CVSS v3.1
6.4
Medium
| Vector | AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
Zephyr versions prior to 4.4.0
Description
The Bluetooth BAP Broadcast Assistant GATT client in
subsys/bluetooth/audio/bap broadcast assistant.c uses a single file-static net buf simple buffer (att buf) shared across all connection instances to reassemble remote Broadcast Receive State data. While the BUSY flag and read offsets are per-connection, the shared buffer leads to interleaving of notification and long-read callbacks when the device is connected to multiple Scan Delegator peripherals.Because the
notify handler function uses net buf simple add mem without performing a tailroom check, data from multiple delegators can accumulate and exceed the 512-byte buffer limit, especially with a large ATT MTU. This allows a malicious or compromised Scan Delegator to trigger out-of-bounds writes, resulting in memory corruption or denial of service. Additionally, if one connection resets the shared buffer while another is still reassembling data, it can lead to cross-connection data corruption.Recommendations
Update Zephyr to a version later than 4.4.0.
Fix
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zephyr