HIGH 7.6

CVE-2026-5068: Zephyr Bluetooth L2CAP Out-of-Bounds Write – Remote DoS Risk

A vulnerability in Zephyr's Bluetooth host stack allows a nearby attacker to crash devices or corrupt memory by sending specially crafted Bluetooth Low Energy (BLE) packets. The flaw occurs when applications enable a feature called segmentation for handling large BLE messages, but configure their memory pools with insufficient space to track incoming data. An attacker within BLE range (typically 10–240 meters depending on device and antenna) can exploit this without any authentication, causing the device to crash or potentially enabling further compromise through heap corruption.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.6 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Weaknesses (CWE)
CWE-787
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-07-08

NVD description (verbatim)

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. When the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes, the segmentation counter stored in the net_buf user_data area is written out of bounds in l2cap_chan_le_recv_seg (subsys/bluetooth/host/l2cap.c). The observed effects are an AddressSanitizer abort and, without ASan, heap corruption / fatal error.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-5068 is a 2-byte out-of-bounds write vulnerability in Zephyr's L2CAP LE Connection-Oriented Channel (CoC) SDU reassembly logic, located in subsys/bluetooth/host/l2cap.c within the l2cap_chan_le_recv_seg function. When an application uses chan_ops.alloc_buf to enable segmentation and configures an RX net_buf pool with user_data_size smaller than 2 bytes, the segmentation counter field written to the net_buf user_data region exceeds allocated bounds. This triggers out-of-bounds writes that manifest as AddressSanitizer abort conditions on instrumented builds and heap corruption or fatal errors on production builds. The vulnerability requires the remote peer to be within BLE range but does not require authentication or user interaction.

Business impact

Devices running vulnerable Zephyr configurations face denial-of-service risk via remote crash, potential data corruption on the heap, and in worst-case scenarios, memory corruption that could enable code execution. For IoT deployments (industrial sensors, medical devices, smart home hubs), this translates to unplanned downtime, loss of availability, and potential safety implications in critical environments. The attack surface is particularly broad because it targets the foundational Bluetooth host layer; any Zephyr-based BLE product with segmentation enabled is potentially at risk regardless of higher-layer application logic.

Affected systems

Zephyr Project's Zephyr RTOS (Bluetooth host stack) is the affected product. The vulnerability manifests specifically in configurations where: (1) Bluetooth LE support is enabled; (2) L2CAP CoC segmentation is active via chan_ops.alloc_buf; and (3) the application's RX buffer pool user_data_size is configured to less than 2 bytes. This affects custom BLE applications and any Zephyr-based IoT device or peripheral using L2CAP segmentation. Verify your Zephyr build configuration and device firmware to determine exposure.

Exploitability

Exploitability is straightforward: the attacker needs only to be within BLE range of the target device and send malformed L2CAP LE CoC frames that trigger segmentation logic. No authentication, user interaction, or pre-existing access is required. The attack is remote and unauthenticated, though it is geographically constrained to BLE proximity (typically under 250 meters for standard devices). This makes it practical for attackers targeting specific locations or facilities. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, but the low barrier to exploitation means active monitoring is warranted.

Remediation

Apply patches from Zephyr Project addressing the out-of-bounds write in l2cap.c. Ensure user_data_size in your RX net_buf pool is configured to at least 2 bytes if segmentation is enabled. Review your application's chan_ops.alloc_buf configuration and buffer pool sizing. If immediate patching is not feasible, consider disabling L2CAP CoC segmentation or restricting BLE connectivity to trusted peers. Test any configuration or code changes in a staging environment before production deployment.

Patch guidance

Check Zephyr Project's official repository and security advisories for patches committed after the 2026-06-09 publication date. Patches should modify l2cap_chan_le_recv_seg to validate user_data_size before writing the segmentation counter, or to use alternative storage that respects buffer boundaries. Verify the patch version against the vendor's published advisory before applying. Standard Zephyr update procedures via west or direct repository checkout apply; ensure your build system includes the patched version of subsys/bluetooth/host/l2cap.c.

Detection guidance

Monitor for AddressSanitizer (ASan) abort messages or SEGV errors in Bluetooth host logs, particularly correlated with L2CAP LE CoC events. On production systems without ASan, watch for unexpected crashes or watchdog resets coinciding with BLE traffic from unknown sources. Packet capture and analysis of L2CAP LE CoC frames with malformed SDU segmentation headers can reveal attack attempts. Enable debug logging in Zephyr's Bluetooth subsystem (CONFIG_BT_LOG=y, CONFIG_BT_L2CAP_LOG=y) in test environments to correlate crash events with triggering packets. Network segmentation to isolate critical BLE devices from untrusted BLE networks provides defense-in-depth.

Why prioritize this

This vulnerability merits immediate attention due to its HIGH CVSS score (7.6), remote and unauthenticated attack vector, and impact on a foundational layer (Bluetooth host) affecting potentially many IoT deployments. While not yet on the KEV list, the low exploitability barrier and widespread use of Zephyr in industrial and consumer IoT suggest active exploitation risk. Any production Zephyr device with BLE and L2CAP CoC segmentation enabled should be treated as a priority for patching.

Risk score, explained

The CVSS 3.1 score of 7.6 (HIGH) reflects: Adjacent attack vector (BLE range limitation), low attack complexity (no special conditions), no privilege or user interaction required, unchanged scope, low confidentiality impact (memory disclosure possible), low integrity impact (heap corruption), and high availability impact (crash/DoS). The score appropriately weights the remote DoS risk and memory corruption potential despite the geographic constraint imposed by BLE range. Organizations should not underestimate risk based on adjacency; many facilities contain overlapping BLE coverage.

Frequently asked questions

Does this affect all Zephyr Bluetooth applications?

No. The vulnerability is specific to applications that enable L2CAP LE Connection-Oriented Channel (CoC) segmentation and configure their RX buffer pool with user_data_size smaller than 2 bytes. Applications not using L2CAP CoC or using appropriately sized buffers are unaffected. Review your application's Kconfig and chan_ops settings to determine exposure.

What is the range of a BLE attack exploiting this vulnerability?

Standard BLE has a nominal range of 10–240 meters depending on antenna design and environmental conditions. An attacker must be within this proximity to send the malicious L2CAP frames. This is an 'adjacent' attack in CVSS terms, meaning physical proximity to the target network is required.

Can this vulnerability lead to remote code execution?

The primary observed effect is denial-of-service via crash. However, heap corruption resulting from out-of-bounds writes can potentially be leveraged for code execution by sophisticated attackers in specific configurations. The vulnerability should be treated as a high-risk availability and integrity threat; do not assume it is limited to DoS.

Is there a workaround if I cannot patch immediately?

Disable L2CAP LE CoC segmentation in your application configuration if the feature is not essential. Alternatively, ensure your RX net_buf pool user_data_size is at least 2 bytes. Restrict BLE connectivity to trusted, authenticated peers and physically isolate vulnerable devices from untrusted BLE networks if feasible.

This analysis is provided for informational purposes and does not constitute legal or professional security advice. SEC.co makes no warranty regarding accuracy or completeness. Organizations are responsible for validating all information against vendor advisories, testing patches in staging environments, and implementing controls appropriate to their risk posture. CVSS scores and vulnerability details are current as of the publication date and may be updated by vendors or NIST. Consult Zephyr Project's official security advisories for authoritative patch guidance and affected version lists. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).