CVE intelligence and bounded remediation

CVE-2026-10651 — Zephyrproject Zephyr security vulnerability

High CVSS 7.1

bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c validated only that the SDP record buffer held the type-marker byte plus the 2-byte attribute ID (a check of buf->len < 3) but then read a fourth byte, the data-element descriptor (type), via net_buf_simple_pull_u8(). Because net_buf_simple_pull_u8() dereferences buf->data[0] before its only bounds guard (an __ASSERT_NO_MSG that compiles out when CONFIG_ASSERT is disabled, the production default), a record of exactly three bytes (0x09 followed by a 2-byte attribute ID) causes a one-byte read past the end of the logical buffer. The parser is reachable from inbound, remote-controlled data: a Bluetooth BR/EDR peer acting as an SDP server returns discovery-response records that are stored verbatim in the client receive buffer and parsed via the public bt_sdp_get_attr()/bt_sdp_has_attr()/bt_sdp_record_parse() helpers. The over-read is bounded to a single byte that is used only as an internal length selector and is never leaked to the attacker; subsequent length checks then reject the malformed record. Realistic impact is therefore limited to an edge-case denial of service (a fault only if the record ends exactly at a mappe…

Severity
High
CVSS
7.1 (3.1)
Published
2026-06-23
CISA KEV
Not currently listed
Ecosystem
operating-system
Weaknesses
CWE-20

Affected products

  • zephyrproject / zephyr

Matched remediation archetype

Resource exhaustion and denial of service

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
  • Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
  • Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.

Remediate safely

  • Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
  • Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
  • Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.