Zephyr Bluetooth Host Stack Integer Overflow Vulnerability in BR/EDR L2CAP Processing

A moderate integer overflow vulnerability has been identified in the Bluetooth Host stack of Zephyr version 4.2. This issue arises within the 'bt_br_acl_recv' routine, which is crucial for handling inbound Bluetooth Classic (BR/EDR) L2CAP traffic. The vulnerability allows remote, unauthenticated Bluetooth devices to send crafted packets that can disrupt normal operations by consuming CPU resources and bypassing flow control mechanisms. While there is no direct memory corruption, this creates a denial-of-service condition that can be particularly disruptive in resource-constrained environments.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing operational disruptions, resource exhaustion, or triggering a watchdog reset in constrained systems.

Remediation

Users are advised to validate the 'hdr->len' field before performing any arithmetic operations to prevent overflow. This vulnerability affects all BR/EDR-enabled targets running Zephyr 4.2.0.