{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-10660", "assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "state": "PUBLISHED", "assignerShortName": "zephyr", "dateReserved": "2026-06-02T15:24:37.969Z", "datePublished": "2026-07-11T17:00:13.644Z", "dateUpdated": "2026-07-14T18:38:42.678Z" }, "containers": { "cna": { "providerMetadata": { "orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad", "shortName": "zephyr", "dateUpdated": "2026-07-14T18:38:42.678Z" }, "title": "Shared reassembly buffer in Bluetooth BAP Broadcast Assistant enables cross-connection memory corruption", "descriptions": [ { "lang": "en", "value": "The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bap_broadcast_assistant.c reassembled remote Broadcast Receive State data into a single file-static net_buf_simple (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512 bytes) shared by all connection instances, while the BUSY flag, long-read handle, and reset/offset state were per-connection.\n\nWhen the device acts as a Broadcast Assistant connected to multiple Scan Delegator peripherals, notification and long-read callbacks from different connections interleave on the shared buffer: the append in notify_handler (net_buf_simple_add_mem at the not-busy branch) performs no tailroom check, so receive-state notifications from two or more delegators accumulate on the same 512-byte buffer and, with a sufficiently large configured ATT MTU (BT_L2CAP_TX_MTU up to 2000) and two-to-three concurrent connections, write past the buffer into adjacent .bss (net_buf_simple_add only asserts in debug builds).\n\nEven below the overflow threshold, one connection's net_buf_simple_reset zeroes the shared length while another connection's reassembly and GATT read offset are in flight, mixing one peer's data into another's parse. A malicious or compromised Scan Delegator (or two colluding peers) over BLE can trigger this, causing out-of-bounds writes (memory corruption / denial of service) and cross-connection data corruption.\n\nThe fix moves the buffer into the per-connection instance struct so each connection reassembles into its own buffer. Affects Zephyr releases shipping the Broadcast Assistant with the shared buffer, including v4.4.0 and earlier." } ], "affected": [ { "vendor": "zephyrproject", "product": "zephyr", "collectionURL": "https://github.com/zephyrproject-rtos/zephyr", "packageName": "zephyr", "defaultStatus": "unaffected", "programFiles": [ "subsys/bluetooth/audio/bap_broadcast_assistant.c" ], "versions": [ { "version": "3.6.0", "status": "affected", "lessThan": "4.5.0", "versionType": "semver" } ] } ], "references": [ { "url": "https://github.com/zephyrproject-rtos/zephyr/commit/0cd61589ff820b6a585c73cb36f1e14b043a2795", "name": "Fix commit", "tags": [ "patch" ] }, { "url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-73c7-3rh7-v5p9", "name": "GHSA-73c7-3rh7-v5p9" } ], "metrics": [ { "format": "CVSS", "cvssV3_1": { "version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "baseScore": 6.4, "baseSeverity": "MEDIUM" } } ], "problemTypes": [ { "descriptions": [ { "lang": "en", "description": "memory-safety", "cweId": "CWE-787", "type": "CWE" } ] } ], "x_generator": { "engine": "cvelib 1.8.0" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-07-13T15:44:09.257224Z", "id": "CVE-2026-10660", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-07-13T15:44:27.208Z" } } ] } }