Bluetooth Host ISO RX Missing SDU Header Length Validation in bt_iso_recv() Leads to DoS
Description
A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) without first verifying that buf->len contains at least that many bytes. The outer HCI ISO length check in hci_iso() validates payload length consistency but not the minimum inner SDU header size, so a packet with payload length 1 passes hci_iso() and then reaches net_buf_pull_mem(), which asserts buf->len >= len. As a result, malformed ISO traffic deterministically triggers a kernel assert (denial of service) in assert-enabled builds, and in non-assert builds the same path may proceed with an undersized buffer, leading to out-of-bounds read behavior. The issue affects products using the Zephyr Host with CONFIG_BT_ISO_RX enabled, particularly where incoming HCI data can be influenced by a malicious or compromised controller or malformed forwarded ISO traffic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
Root cause
"Missing length validation before pulling the SDU header in bt_iso_recv() allows a malformed HCI ISO packet with an undersized payload to trigger a kernel assert or out-of-bounds read."
Attack vector
An attacker who can influence incoming HCI ISO data — for example by controlling a malicious Bluetooth controller or by injecting malformed forwarded ISO traffic — sends a packet whose HCI ISO payload length is valid at the outer layer (e.g. length=1) but too small to contain the required SDU header. The outer check in hci_iso() passes because it only validates payload length consistency, not the minimum inner header size. When bt_iso_recv() processes the fragment as PB=START/SINGLE, it calls net_buf_pull_mem() to pull either an 8-byte TS header or a 4-byte non-TS header without first verifying that buf->len is at least that many bytes [ref_id=1]. This triggers a kernel assert in assert-enabled builds, causing a deterministic denial of service; in non-assert builds the undersized buffer may lead to out-of-bounds read behavior [ref_id=1].
What the fix does
The patch adds a per-branch length check before each net_buf_pull_mem() call in bt_iso_recv(), ensuring that buf->len is at least sizeof(struct bt_hci_iso_sdu_ts_hdr) (8 bytes) when ts=1, or sizeof(struct bt_hci_iso_sdu_hdr) (4 bytes) when ts=0 [ref_id=1]. If the buffer is too short, the function returns an error instead of proceeding to pull. This closes the gap between the outer HCI ISO length validation in hci_iso() and the inner SDU header parsing, preventing the assert and the potential out-of-bounds read.
Preconditions
- configCONFIG_BT_ISO_RX must be enabled in the Zephyr build
- networkAttacker must be able to influence incoming HCI ISO data, e.g. via a malicious/compromised Bluetooth controller or malformed forwarded ISO traffic
- authNo authentication required; the malformed packet is processed at the HCI layer before any security checks
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.