Lucene search
K

4 matches found

CVE
CVE
added 2026/06/22 11:58 p.m.23 views

CVE-2026-10658

CVE-2026-10658 affects Zephyr’s Bluetooth Host ISO RX path, specifically bt_iso_recv() in subsys/bluetooth/host/iso.c. The vulnerability arises from missing minimum length checks for SDU headers when processing PB=START/SINGLE, allowing a malformed HCI ISO payload to bypass the inner header lengt...

7.1CVSS6.1AI score0.00163EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/22 11:58 p.m.4 views

CVE-2026-10658 Out-of-bounds access in Bluetooth ISO receive (`bt_iso_recv`) due to missing SDU-header length validation

btisorecv in subsys/bluetooth/host/iso.c pulled the ISO SDU header 4 bytes or, when the timestamp flag is set, the timestamped SDU header 8 bytes from the inbound HCI ISO Data buffer via netbufpullmem without first checking buf-len. The upstream hciiso handler enforces buf-len == the...

7.1CVSS6AI score0.00163EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/06/22 11:58 p.m.4 views

CVE-2026-10658 Out-of-bounds access in Bluetooth ISO receive (`bt_iso_recv`) due to missing SDU-header length validation

btisorecv in subsys/bluetooth/host/iso.c pulled the ISO SDU header 4 bytes or, when the timestamp flag is set, the timestamped SDU header 8 bytes from the inbound HCI ISO Data buffer via netbufpullmem without first checking buf-len. The upstream hciiso handler enforces buf-len == the...

7.1CVSS6.2AI score0.00163EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/22 11:58 p.m.42 views

CVE-2026-10658 Out-of-bounds access in Bluetooth ISO receive (`bt_iso_recv`) due to missing SDU-header length validation

btisorecv in subsys/bluetooth/host/iso.c pulled the ISO SDU header 4 bytes or, when the timestamp flag is set, the timestamped SDU header 8 bytes from the inbound HCI ISO Data buffer via netbufpullmem without first checking buf-len. The upstream hciiso handler enforces buf-len == the...

7.1CVSS0.00163EPSS
Exploits0References2
Rows per page
Query Builder