Zephyr RTOS: Four Vulnerabilities in UART, Bluetooth, and FS Disclosed Together
Key findings • Four vulnerabilities disclosed in Zephyr RTOS between June 22-24, 2026, affecting serial, Bluetooth, and file system components. • CVE-2026-10642: Unbounded loop in PL011 UART …
Key findings
- Four vulnerabilities disclosed in Zephyr RTOS between June 22-24, 2026, affecting serial, Bluetooth, and file system components.
- CVE-2026-10642: Unbounded loop in PL011 UART driver may cause denial-of-service.
- CVE-2026-10658: Missing length validation in Bluetooth Host ISO RX can lead to DoS.
- CVE-2026-10651: SDP parser flaw may cause assertion and out-of-bounds read in Bluetooth Classic.
- CVE-2026-10645: Ext2 directory entry validation issues can lead to out-of-bounds read and traversal.
The Zephyr Project RTOS experienced a coordinated disclosure of four vulnerabilities on June 23rd and 24th, 2026, impacting its serial and Bluetooth subsystems, as well as its file system module. These issues, ranging in severity, highlight potential denial-of-service (DoS) conditions and data corruption risks within the widely used real-time operating system.
One critical vulnerability, CVE-2026-10642, resides in the PL011 UART driver. It involves an unbounded software loop in pl011_irq_tx_enable() that can lead to a DoS when hardware flow control is enabled. This could disrupt serial communications, a fundamental function for many embedded systems.
The Bluetooth stack is affected by two separate issues. CVE-2026-10658, a DoS vulnerability, stems from a missing length validation in the Bluetooth Host ISO receive path. Malformed HCI ISO data can trigger this flaw in bt_iso_recv(), potentially crashing the Bluetooth service. Additionally, CVE-2026-10651, found in the Bluetooth Classic SDP parser, can lead to a reachable assertion and an out-of-bounds read due to improper handling of malformed SDP attributes in bt_sdp_parse_attribute().
A fourth vulnerability, CVE-2026-10645, impacts the ext2 file system implementation. A failure to fully validate directory entry structures in ext2_fetch_direntry() can result in out-of-bounds reads and unintended directory traversal, potentially leading to data corruption or information disclosure.
These vulnerabilities were disclosed by various sources, with the earliest appearing on June 22nd and the latest on June 24th, 2026. Users of the Zephyr RTOS are advised to review the specific details of each CVE and apply any available patches or mitigations provided by the Zephyr Project to secure their systems against these potential threats. The coordinated nature of this disclosure suggests a focused effort to address these specific weaknesses in the Zephyr codebase.