CVE-2026-10651 | A malformed Bluetooth Classic SDP attribute can trigger a re… | CVSS 7.1 HIGH

Description

A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.

Metadata

CVE ID: CVE-2026-10651
State: PUBLISHED
Assigner: zephyr
Reserved: 2026-06-02 15:24 UTC
Published: 2026-06-22 23:54 UTC
Last updated: 2026-06-22 23:54 UTC
Primary CWE: CWE-20
Improper Input Validation
Vendor / Product: zephyrproject-rtos / Zephyr
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 3.1

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Affected products (1)

Vendor	Product	Platform	Versions
zephyrproject-rtos	Zephyr	—	* ≤ 4.4.0

Weakness (CWE)

CWE	Source	Description
CWE-20	cna	Improper Input Validation
CWE-617	cna	Reachable Assertion

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	3.1	cna	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

References (1)

https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-p93g-3r68-cj53