MEDIUM 6.3

CVE-2026-5589: Zephyr Bluetooth Mesh Integer Underflow and Out-of-Bounds Write

A flaw in Zephyr's Bluetooth Mesh solicitation handler can cause memory corruption when a malicious nearby BLE device sends a specially crafted advertisement. The vulnerability occurs in the code that processes advertisement structure length fields, where insufficient validation allows a subtraction to wrap into a massive unsigned value. This causes the parser to read far outside the allocated buffer, potentially crashing the system or enabling code execution on devices with Bluetooth Mesh enabled and the OD Private Proxy Server role active. No pairing or authentication is required—any nearby device can trigger it.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-787
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. When reported_len is less than 3, the subtraction is performed in signed int arithmetic and yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, so subsequent reads dereference invalid memory. A nearby BLE device can trigger this with a non-connectable advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing or prior association required, potentially leading to denial of service or arbitrary code execution.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is an integer underflow in bt_mesh_sol_recv() (subsys/bluetooth/mesh/solicitation.c) triggered during BLE advertisement parsing. The function reads a length byte (reported_len) from a UUID16 AD structure without validating that reported_len >= 3 before computing reported_len - 3. In signed arithmetic, this yields a negative value. When this negative result is implicitly cast to size_t and passed to net_buf_simple_pull_mem(), it wraps to a very large positive value in unsigned context. On builds without runtime assertions, the buffer length check is bypassed, and the data pointer advances far out of bounds. Subsequent buffer operations then read or write to unmapped memory. The flaw only manifests when CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled in the Zephyr kernel configuration.

Business impact

For organizations deploying Zephyr-based IoT and embedded devices with Bluetooth Mesh in privacy-sensitive roles (such as private proxy servers), this vulnerability exposes systems to remote denial of service and potential code execution without authentication. Medical devices, industrial sensors, smart building controllers, and other mesh-networked endpoints could be remotely crashed or compromised from a nearby attacker position. Recovery and diagnostics become difficult in distributed mesh networks, and widespread exploitation could disrupt critical infrastructure that relies on mesh coordination. Unpatched fleets present a material availability and integrity risk.

Affected systems

Zephyr RTOS deployments with Bluetooth Mesh support and CONFIG_BT_MESH_OD_PRIV_PROXY_SRV enabled are directly affected. This includes custom SoCs and third-party modules built on Zephyr, as well as development boards commonly used in research and prototype mesh networks. Devices that participate in Bluetooth Mesh networks in the private proxy server role are at highest risk. Systems without CONFIG_BT_MESH_OD_PRIV_PROXY_SRV enabled are not exploitable via this path, though they may still run vulnerable code if the feature is compiled in but disabled at runtime—verify your configuration.

Exploitability

Exploitability is straightforward. An attacker within BLE range (~10–100 meters depending on antenna and power) can craft a non-connectable BLE advertisement with a malformed UUID16 AD structure and transmit it repeatedly. No pairing, bonding, or prior association is required. Standard BLE advertising tools can generate the malicious payload. The attack is reliable and repeatable, though achieving code execution (rather than denial of service) requires knowledge of the target device's memory layout and may be mitigated by ASLR or MPU settings on some platforms. Access vector is network (adjacent network for BLE), privileges are not required, user interaction is not needed, and the scope is unchanged—satisfying the CVSS 3.1 vector for a MEDIUM rating.

Remediation

Apply a patch to Zephyr that adds bounds checking in bt_mesh_sol_recv() before the integer arithmetic. The fix must validate reported_len >= 3 before subtracting 3, and should use unsigned arithmetic or explicit type casts to prevent signed-to-unsigned conversion surprises. Disable CONFIG_BT_MESH_OD_PRIV_PROXY_SRV in production kernels if the private proxy server role is not required. Rebuild and reflash affected devices with the corrected kernel. Verify the fix in your prerelease testing by attempting to send malformed solicitation advertisements to confirm they are rejected or logged without memory corruption.

Patch guidance

Consult the official Zephyr security advisory and the Zephyr GitHub repository (github.com/zephyrproject-rtos) for the specific patched version number and commit hash. Patches will likely be backported to multiple long-term support (LTS) branches. Update your Zephyr SDK and west tool, then run 'west update' to pull the fixed source. Rebuild your application with 'west build -b <your_board> --pristine' to ensure the old object files are not reused. Test the patched build on representative hardware before production deployment. If you maintain a fork of Zephyr, cherry-pick the fix commit into your branches and re-test your application.

Detection guidance

Monitor system logs and kernel messages for memory faults (segfaults, data aborts) or watchdog resets that correlate with BLE activity, especially on private proxy server instances. Enable Zephyr kernel logging with CONFIG_BT_MESH_DEBUG_SOLICITATION if available. In firmware images with assertions enabled, watch for assertion failures in the solicitation path. On systems with crash dumps enabled, analyze dumps for stack traces pointing to bt_mesh_sol_recv() or nearby functions. Network-level detection is difficult but possible if you can capture and analyze raw BLE advertisement frames; look for UUID16 AD structures with length values less than 3. Host-based behavior monitoring (e.g., unexpected reboots, service interruptions in mesh-dependent processes) is a useful trigger for investigation.

Why prioritize this

This vulnerability warrants moderate-to-high priority patching. While the CVSS score of 6.3 is MEDIUM, the low barrier to exploitation, lack of authentication requirement, and potential for code execution on critical infrastructure mesh nodes elevate practical risk. Organizations with wide BLE Mesh deployments (smart buildings, industrial IoT, medical sensor networks) should prioritize patching within 30–60 days. However, if CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is not enabled in your kernel configuration, remediation can be deferred, provided your inventory is well-documented. Verify your configuration across all builds immediately.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects a MEDIUM severity. Attack vector is network-adjacent (BLE), attack complexity is low, no privileges or user interaction are required, and the impact is confidentiality, integrity, and availability—each rated as low in the vector. The relatively low individual impact ratings (rather than high or critical) keep the overall score in the MEDIUM band, but this is somewhat conservative given that code execution on mesh infrastructure could cascade. Organizations managing critical mesh deployments should treat this as a higher practical priority than the numeric score suggests.

Frequently asked questions

I have CONFIG_BT_MESH_OD_PRIV_PROXY_SRV disabled in my kernel config. Am I affected?

No, you are not exploitable via this specific vulnerability if the feature is disabled at compile-time and not reachable in your code path. However, verify that the option is definitively off by checking your prj.conf or kernel configuration file and ensuring it is not enabled by a default or dependency. If you are unsure, treat it as potentially enabled and plan to patch anyway.

Does this vulnerability require the device to be already paired or joined to a mesh network?

No. The attack works via raw, unauthenticated BLE advertising. An attacker does not need to pair with the device, be a mesh member, or have any prior relationship. Any nearby device transmitting a malicious advertisement can trigger the vulnerability.

What is the practical difference between denial of service and code execution for this flaw?

Denial of service (crash, reboot) will occur reliably and immediately when the malformed advertisement is received, causing the buffer read to fault. Code execution is theoretically possible if the attacker can control what memory the out-of-bounds pointer lands on and craft an input that writes to that location, but this requires knowledge of the target's memory layout, ASLR bypass techniques if applicable, and may be mitigated by hardware MPU settings. Most real-world impact will be DoS.

If I patch this vulnerability, do I need to reprovisioning my mesh devices or re-key?

No. The patch corrects the parsing bug and does not change the mesh security model, provisioning process, or key material. After applying the patched kernel and rebooting, devices will rejoin their mesh networks as before with their existing credentials intact.

This analysis is based on the published CVE record and vendor advisories available as of the knowledge cutoff. Specific patch version numbers and exact affected product builds have not been independently verified; consult the official Zephyr security advisory (zephyrproject.org/security) for authoritative remediation guidance. The severity assessment assumes standard embedded configurations; hardened systems with MPU/SMMU, ASLR, or disable assertions may have reduced practical risk. Testing in your environment is essential before production deployment. No exploit code or weaponized proof-of-concept is provided. SEC.co does not maintain a custom patch repository; apply fixes from upstream Zephyr or your device vendor only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).