CVE intelligence and bounded remediation
CVE-2026-10641 — Zephyrproject Zephyr security vulnerability
Zephyr's Bluetooth Classic Hands-Free Profile (HFP) Hands-Free role parser (subsys/bluetooth/host/classic/hfp_hf.c) contains an out-of-bounds write. During Service Level Connection setup the HF sends AT+CIND=? and parses the AG's +CIND: response in cind_handle(), which assigns a per-entry counter index and calls cind_handle_values() for each list element. cind_handle_values() then wrote hf->ind_table[index] = i without verifying that index is within the 20-element int8_t ind_table[] array of struct bt_hfp_hf. Because the parser places no cap on the number of +CIND: list entries, a remote Attendant Gateway (a malicious, compromised, or spoofed peer the device connects to over Bluetooth) can send a response with more than 20 recognized indicator entries and drive index arbitrarily large, writing a small attacker-positioned value past the array into adjacent struct fields (feature masks, SDP/version state, the calls[] array, work/atomic bookkeeping) and potentially beyond the static connection pool slot. This yields memory corruption and at least denial of service of the Bluetooth host, triggered by a single malformed AT response with no user interaction. The sibling consumer ag_indi…
- Severity
- High
- CVSS
- 7.1 (3.1)
- Published
- 2026-06-17
- CISA KEV
- Not currently listed
- Ecosystem
- operating-system
- Weaknesses
- CWE-787
Affected products
- zephyrproject / zephyr
Matched remediation archetype
Buffer bounds, memory safety, and memory corruption
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Identify affected native-code versions, build flags, architectures, parsers, codecs, drivers, and input paths in all shipped artifacts.
- Determine whether untrusted data reaches the affected routine and the process privilege, sandbox, and network exposure.
- Confirm statically linked, vendored, firmware, and platform-provided copies, not only package-manager records.
Remediate safely
- Apply the maintained upstream correction or replace the affected component, then rebuild every dependent artifact from clean inputs.
- Adopt bounds-checked interfaces, validated sizes and integer conversions, clear ownership, and memory-safe components where practical.
- Enable supported compiler and runtime hardening and add sanitized tests and fuzz regression seeds derived from non-weaponized fixtures.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.