Zephyr Bluetooth Out-of-Bounds Write Vulnerability in L2CAP LE CoC Segmentation Handling

Vulnerability

A remote, unauthenticated Bluetooth Low Energy (BLE) peer can exploit a vulnerability in the Zephyr Bluetooth host, specifically in versions through 4.4.0. The issue arises during the reassembly of L2CAP LE Continuation Channels (CoC) Segmentation Data Units (SDUs). When the application enables segmentation and the selected receive pool has a user data size smaller than 2 bytes, a 2-byte out-of-bounds write occurs. This vulnerability is triggered in the 'l2cap_chan_le_recv_seg' function within the L2CAP module of the Bluetooth host.

Impact

Exploitation of this vulnerability leads to a 2-byte out-of-bounds write, causing heap corruption and a fatal error. When AddressSanitizer is enabled, the out-of-bounds write is detected, and the program aborts. However, without AddressSanitizer, the heap corruption can cause a severe error, disrupting normal application operation.

Added: Jun 9, 2026, 8:21 AM

Updated: Jun 9, 2026, 8:21 AM

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

3.1

exploitability

6.0

remediation

0.0

relevance

9.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.6

impact

3.1

exploitability

6.0

remediation

0.0

relevance

9.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zephyr Bluetooth Out-of-Bounds Write Vulnerability in L2CAP LE CoC Segmentation Handling

Vulnerability

Impact

Affected Products

Zephyr

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating