VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 4, 2026

CVE-2026-5589

CVE-2026-5589

Description

Integer underflow in Bluetooth Mesh leads to out-of-bounds write, potentially causing arbitrary code execution or denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer underflow in Bluetooth Mesh leads to out-of-bounds write, potentially causing arbitrary code execution or denial of service.

Vulnerability

An integer underflow vulnerability exists in the bt_mesh_sol_recv() function within subsys/bluetooth/mesh/solicitation.c when CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled. The function parses solicitation PDUs from raw BLE advertising payloads. An attacker-controlled length byte (reported_len) is used in a calculation reported_len - 3. If reported_len is less than 3, this subtraction results in a negative value which bypasses a length guard and is then implicitly converted to a large size_t value when passed to net_buf_simple_pull_mem(), leading to an out-of-bounds write. This affects Zephyr versions prior to the patches mentioned in reference [1].

Exploitation

An attacker with a nearby BLE device can trigger this vulnerability by sending a non-connectable advertisement containing a UUID16 AD structure and a crafted length byte. No pairing or prior association is required. The crafted length byte causes the reported_len - 3 calculation to yield a negative number, which bypasses the intended buffer length check. This negative value is then used to advance the data pointer far out of bounds, allowing subsequent reads to dereference invalid memory.

Impact

Successful exploitation of this vulnerability can lead to an out-of-bounds write, potentially resulting in arbitrary code execution. In real-time operating systems like Zephyr, which often lack common memory protection systems, this can be particularly severe. Even on systems with memory protection, the vulnerability can cause a crash, leading to a denial of service.

Mitigation

Patches for this vulnerability are available in Zephyr's main branch (#105585), v4.3 (#108334), and v3.7 (#108333) as detailed in reference [1]. Users are advised to update to a patched version of Zephyr. No workarounds are specified in the available references.

References
  1. Out-of-bounds write caused by an integer underflow in the Bluetooth Mesh subsystem.

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

5
159c7d424d89

doc: release/4.4: Add CVE under embargo

https://github.com/zephyrproject-rtos/zephyrFlavio CeolinApr 5, 2026via github-commit-search
commit
1 file changed · +4 0
  • doc/releases/release-notes-4.4.rst+4 0 modified
    @@ -133,10 +133,14 @@ The following CVEs are addressed by this release:
 
 * :cve:`2026-5067` Under embargo until 2026-05-23
 
+* :cve:`2026-5068` Under embargo until 2026-05-21
+
 * :cve:`2026-5071` Under embargo until 2026-05-18
 
 * :cve:`2026-5072` Under embargo until 2026-05-18
 
+* :cve:`2026-5589` Under embargo until 2026-06-03
+
 API Changes
 ***********
b5589fcc7b15

doc: vuln: Add CVE under embargo

https://github.com/zephyrproject-rtos/zephyrFlavio CeolinApr 5, 2026via github-commit-search
commit
1 file changed · +5 0
  • doc/security/vulnerabilities.rst+5 0 modified
    @@ -2257,3 +2257,8 @@ Under embargo until 2026-05-18
 ----------------
 
 Under embargo until 2026-05-18
+
+:cve:`2026-5589`
+----------------
+
+Under embargo until 2026-06-03
ed7adfd635a9

bluetooth: mesh: fix solicitation data length

https://github.com/zephyrproject-rtos/zephyrAleksandr KhromykhMar 16, 2026via body-scan-shorthand
commitPR #105585
1 file changed · +3 2
  • subsys/bluetooth/mesh/solicitation.c+3 2 modified
    @@ -234,8 +234,9 @@ void bt_mesh_sol_recv(struct net_buf_simple *buf, uint8_t uuid_list_len)
 			break;
 		}
 
-		if (buf->len <= reported_len - 3) {
-			LOG_DBG("Invalid length (%u) Solicitation PDU", buf->len);
+		if (reported_len < 3 || buf->len <= reported_len - 3) {
+			LOG_DBG("Invalid length: buf->len=%u reported_len=%u Solicitation PDU",
+				buf->len, reported_len);
 			return;
 		}
35592afcfeb7

bluetooth: mesh: fix solicitation data length

https://github.com/zephyrproject-rtos/zephyrAleksandr KhromykhMar 16, 2026via body-scan-shorthand
commitPR #108334
1 file changed · +3 2
  • subsys/bluetooth/mesh/solicitation.c+3 2 modified
    @@ -234,8 +234,9 @@ void bt_mesh_sol_recv(struct net_buf_simple *buf, uint8_t uuid_list_len)
 			break;
 		}
 
-		if (buf->len <= reported_len - 3) {
-			LOG_DBG("Invalid length (%u) Solicitation PDU", buf->len);
+		if (reported_len < 3 || buf->len <= reported_len - 3) {
+			LOG_DBG("Invalid length: buf->len=%u reported_len=%u Solicitation PDU",
+				buf->len, reported_len);
 			return;
 		}
fda7ed8613a9

bluetooth: mesh: fix solicitation data length

https://github.com/zephyrproject-rtos/zephyrAleksandr KhromykhMar 16, 2026via body-scan-shorthand
commitPR #108333
1 file changed · +3 2
  • subsys/bluetooth/mesh/solicitation.c+3 2 modified
    @@ -230,8 +230,9 @@ void bt_mesh_sol_recv(struct net_buf_simple *buf, uint8_t uuid_list_len)
 			break;
 		}
 
-		if (buf->len <= reported_len - 3) {
-			LOG_DBG("Invalid length (%u) Solicitation PDU", buf->len);
+		if (reported_len < 3 || buf->len <= reported_len - 3) {
+			LOG_DBG("Invalid length: buf->len=%u reported_len=%u Solicitation PDU",
+				buf->len, reported_len);
 			return;
 		}

Vulnerability mechanics

Root cause

"An integer underflow in Bluetooth Mesh solicitation handling leads to an out-of-bounds write."

Attack vector

An attacker can trigger this vulnerability by sending a non-connectable BLE advertisement with a UUID16 AD structure and a crafted length byte. This advertisement is processed by the `bt_mesh_sol_recv()` function when `CONFIG_BT_MESH_OD_PRIV_PROXY_SRV` is enabled. No pairing or prior association is required for this attack to succeed. The crafted length byte causes an integer underflow during length calculation, bypassing security checks and leading to an out-of-bounds write [ref_id=1].

Affected code

The vulnerability resides in the `bt_mesh_sol_recv()` function within the file `subsys/bluetooth/mesh/solicitation.c`. Specifically, the issue occurs in the AD parsing loop where an attacker-controlled length byte (`reported_len`) is read. The problematic calculation `reported_len - 3` and the subsequent call to `net_buf_simple_pull_mem()` are located within this loop [ref_id=1].

What the fix does

The patch addresses the integer underflow by ensuring that the `reported_len` is at least 3 before performing the subtraction. This prevents the calculation of a negative value, which was then incorrectly converted to a large `size_t` and used to advance the data pointer out of bounds. By adding a check for `reported_len >= 3`, the vulnerability is mitigated, and subsequent memory accesses remain within valid buffer boundaries [patch_id=4832860].

Preconditions

  • configCONFIG_BT_MESH_OD_PRIV_PROXY_SRV must be enabled.
  • inputA BLE advertisement payload with a UUID16 AD structure and a crafted length byte where reported_len < 3.
  • networkThe attacker must be within BLE range of the vulnerable device.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.