VYPR
← All advisories
High severity7.6NVD Advisory· Published Jun 9, 2026

CVE-2026-5068

CVE-2026-5068

Description

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly, leading to heap corruption or a crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly, leading to heap corruption or a crash.

Vulnerability

A remote, unauthenticated BLE peer can trigger a 2-byte out-of-bounds write in the Bluetooth host during L2CAP LE CoC SDU reassembly. This occurs when the application enables segmentation (via chan_ops.alloc_buf) and the chosen RX pool has a user_data_size smaller than 2 bytes. The vulnerability resides in l2cap_chan_le_recv_seg within subsys/bluetooth/host/l2cap.c. Affected versions are <= 4.4.0 [1].

Exploitation

An attacker needs network access to a vulnerable device via Bluetooth Low Energy (BLE). The attacker must be a remote, unauthenticated BLE peer. The vulnerability is triggered during L2CAP LE CoC SDU reassembly when segmentation is enabled and the RX pool's user data size is less than 2 bytes. The attacker sends specially crafted packets to exploit the out-of-bounds write in the segmentation counter stored in the net_buf user data area [1].

Impact

Successful exploitation results in a 2-byte out-of-bounds write. Observed effects include an AddressSanitizer abort with a backtrace, or heap corruption and a fatal error if AddressSanitizer is not enabled. This can lead to a denial-of-service condition or potentially more severe system instability due to heap corruption [1].

Mitigation

Patches are available for the main branch (#104913) and v4.3 (#108335). The fixed version is not explicitly stated, but affected versions are <= 4.4.0 [1]. No other workarounds or information on EOL status or KEV listing are available in the provided references.

References
  1. bt: l2cap le coc: remote oob write via seg counter stored in net_buf user_data

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

4
159c7d424d89

doc: release/4.4: Add CVE under embargo

https://github.com/zephyrproject-rtos/zephyrFlavio CeolinApr 5, 2026via github-commit-search
commit
1 file changed · +4 0
  • doc/releases/release-notes-4.4.rst+4 0 modified
    @@ -133,10 +133,14 @@ The following CVEs are addressed by this release:
 
 * :cve:`2026-5067` Under embargo until 2026-05-23
 
+* :cve:`2026-5068` Under embargo until 2026-05-21
+
 * :cve:`2026-5071` Under embargo until 2026-05-18
 
 * :cve:`2026-5072` Under embargo until 2026-05-18
 
+* :cve:`2026-5589` Under embargo until 2026-06-03
+
 API Changes
 ***********
df4c8231c9cf

doc: vuln: Add CVE under embargo

https://github.com/zephyrproject-rtos/zephyrFlavio CeolinMar 27, 2026via github-commit-search
commit
1 file changed · +5 0
  • doc/security/vulnerabilities.rst+5 0 modified
    @@ -2222,3 +2222,8 @@ Under embargo until 2026-06-01
 ----------------
 
 Under embargo until 2026-05-23
+
+:cve:`2026-5068`
+----------------
+
+Under embargo until 2026-05-21
9d4ff6f8d0cc

bluetooth: l2cap: validate alloc_buf user data

https://github.com/zephyrproject-rtos/zephyrOleh KonkoMar 4, 2026via body-scan-shorthand
commitPR #108335
2 files changed · +14 0
  • include/zephyr/bluetooth/l2cap.h+5 0 modified
    @@ -673,6 +673,11 @@ struct bt_l2cap_chan_ops {
 	 *  If the application has not set a callback the L2CAP SDU MTU will be
 	 *  truncated to @ref BT_L2CAP_SDU_RX_MTU.
 	 *
+	 *  @note The stack stores the number of received segments in the first
+	 *        two bytes of the buffer user data. The buffer returned by this
+	 *        callback must have a user data size of at least
+	 *        @c sizeof(uint16_t).
+	 *
 	 *  @param chan The channel requesting a buffer.
 	 *
 	 *  @return Allocated buffer.
  • subsys/bluetooth/host/l2cap.c+9 0 modified
    @@ -2756,6 +2756,15 @@ static void l2cap_chan_le_recv(struct bt_l2cap_le_chan *chan,
 			bt_l2cap_chan_disconnect(&chan->chan);
 			return;
 		}
+
+		if (chan->_sdu->user_data_size < sizeof(uint16_t)) {
+			LOG_ERR("SDU buffer user_data_size %u is too small",
+				chan->_sdu->user_data_size);
+			net_buf_unref(chan->_sdu);
+			chan->_sdu = NULL;
+			bt_l2cap_chan_disconnect(&chan->chan);
+			return;
+		}
 		chan->_sdu_len = sdu_len;
 
 		/* Send sdu_len/mps worth of credits */
09ad7174e940

bluetooth: l2cap: validate alloc_buf user data

https://github.com/zephyrproject-rtos/zephyrOleh KonkoMar 4, 2026via body-scan-shorthand
commitPR #104913
2 files changed · +14 0
  • include/zephyr/bluetooth/l2cap.h+5 0 modified
    @@ -675,6 +675,11 @@ struct bt_l2cap_chan_ops {
 	 *  If the application has not set a callback the L2CAP SDU MTU will be
 	 *  truncated to @ref BT_L2CAP_SDU_RX_MTU.
 	 *
+	 *  @note The stack stores the number of received segments in the first
+	 *        two bytes of the buffer user data. The buffer returned by this
+	 *        callback must have a user data size of at least
+	 *        @c sizeof(uint16_t).
+	 *
 	 *  @param chan The channel requesting a buffer.
 	 *
 	 *  @return Allocated buffer.
  • subsys/bluetooth/host/l2cap.c+9 0 modified
    @@ -2756,6 +2756,15 @@ static void l2cap_chan_le_recv(struct bt_l2cap_le_chan *chan,
 			bt_l2cap_chan_disconnect(&chan->chan);
 			return;
 		}
+
+		if (chan->_sdu->user_data_size < sizeof(uint16_t)) {
+			LOG_ERR("SDU buffer user_data_size %u is too small",
+				chan->_sdu->user_data_size);
+			net_buf_unref(chan->_sdu);
+			chan->_sdu = NULL;
+			bt_l2cap_chan_disconnect(&chan->chan);
+			return;
+		}
 		chan->_sdu_len = sdu_len;
 
 		/* Send sdu_len/mps worth of credits */

Vulnerability mechanics

Root cause

"A 2-byte out-of-bounds write occurs in the Bluetooth host during L2CAP LE CoC SDU reassembly when segmentation is enabled and the RX pool has a user_data_size smaller than 2 bytes."

Attack vector

A remote, unauthenticated BLE peer can trigger this vulnerability. The attack requires the application to enable segmentation via `chan_ops.alloc_buf`. The peer sends specially crafted L2CAP LE CoC packets that cause a segmentation counter to be written out of bounds within the `net_buf` user data area [ref_id=1]. This leads to heap corruption or a fatal error, and an AddressSanitizer abort if ASan is enabled [ref_id=1].

Affected code

The vulnerability resides in the `l2cap_chan_le_recv_seg` function within `subsys/bluetooth/host/l2cap.c`. The issue occurs when `memcpy(net_buf_user_data(chan->_sdu), &seg, sizeof(seg));` is executed, as `seg` can be larger than the allocated user data space [ref_id=1].

What the fix does

The patches address the out-of-bounds write by ensuring that the size of the user data area in the `net_buf` is sufficient to hold the segmentation counter. Specifically, the fix modifies the logic related to the `user_data_size` when allocating buffers for L2CAP LE CoC SDU reassembly. This prevents the segmentation counter from being written beyond the allocated buffer boundaries [patch_id=5320349, patch_id=5320350, patch_id=5320347, patch_id=5320348].

Preconditions

  • configApplication must enable segmentation via `chan_ops.alloc_buf`.
  • configThe chosen RX pool must have a `user_data_size` smaller than 2 bytes.
  • authThe attacker does not need any authentication.
  • networkThe attack is performed by a remote, unauthenticated BLE peer.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.