A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.
PUBLISHED5.2
Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS
Affected products
zephyrproject-rtos
Zephyr
<= 4.4.0 - AFFECTED
References
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-10658Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-10658",
"assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"assignerShortName": "zephyr",
"dateUpdated": "2026-06-22T23:58:47.022Z",
"dateReserved": "2026-06-02T15:24:35.422Z",
"datePublished": "2026-06-22T23:58:47.022Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"shortName": "zephyr",
"dateUpdated": "2026-06-22T23:58:47.022Z"
},
"title": "Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS",
"descriptions": [
{
"lang": "en",
"value": "A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS"
}
]
}
],
"affected": [
{
"vendor": "zephyrproject-rtos",
"product": "Zephyr",
"packageName": "Zephyr",
"repo": "https://github.com/zephyrproject-rtos/zephyr",
"defaultStatus": "unaffected",
"versions": [
{
"version": "*",
"status": "affected",
"versionType": "git",
"lessThanOrEqual": "4.4.0"
}
]
}
],
"references": [
{
"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-26g8-rmpf-j6cw"
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"attackVector": "ADJACENT_NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH"
}
}
]
}
}
}