Out-of-bounds read in Bluetooth Classic SDP attribute parsing (`bt_sdp_parse_attribute`)
Summary
| CVE | CVE-2026-10651 |
|---|---|
| State | PUBLISHED |
| Assigner | zephyr |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-23 01:16:26 UTC |
| Updated | 2026-07-17 16:17:12 UTC |
| Description | bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c validated only that the SDP record buffer held the type-marker byte plus the 2-byte attribute ID (a check of buf->len < 3) but then read a fourth byte, the data-element descriptor (type), via net_buf_simple_pull_u8(). Because net_buf_simple_pull_u8() dereferences buf->data[0] before its only bounds guard (an __ASSERT_NO_MSG that compiles out when CONFIG_ASSERT is disabled, the production default), a record of exactly three bytes (0x09 followed by a 2-byte attribute ID) causes a one-byte read past the end of the logical buffer. The parser is reachable from inbound, remote-controlled data: a Bluetooth BR/EDR peer acting as an SDP server returns discovery-response records that are stored verbatim in the client receive buffer and parsed via the public bt_sdp_get_attr()/bt_sdp_has_attr()/bt_sdp_record_parse() helpers. The over-read is bounded to a single byte that is used only as an internal length selector and is never leaked to the attacker; subsequent length checks then reject the malformed record. Realistic impact is therefore limited to an edge-case denial of service (a fault only if the record ends exactly at a mapped-memory boundary, or a deterministic assert panic when CONFIG_ASSERT=y). Affects Zephyr v4.3.0 and v4.4.0; fixed by adding sizeof(type) to the length check. |
Risk And Classification
Primary CVSS: v3.1 6.5 MEDIUM from [email protected]
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.001830000 probability, percentile 0.080580000 (date 2026-07-17)
Problem Types: CWE-20 | CWE-617 | CWE-20 bounds | CWE-617 bounds
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 6.5 | MEDIUM | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
| 3.1 | CNA | CVSS | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
AdjacentAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Zephyrproject | Zephyr | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Zephyrproject | Zephyr | affected 4.3.0 4.5.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/zephyrproject-rtos/zephyr/commit/dfac5224ab65fc7b81be29263861... | [email protected] | github.com | |
| github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p93g-3r68-... | [email protected] | github.com | Exploit, Patch, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.