Out-of-Bounds Write in Zephyr's Bluetooth Classic HFP Parser
CVE-2026-10641

7.1HIGH

Key Information:

Vendor: Zephyrproject
Status: Zephyr
Vendor: CVE Published:; 17 June 2026

🔔 Create Zephyrproject Vulnerability Alert

What is CVE-2026-10641?

The Bluetooth Classic Hands-Free Profile (HFP) parser in Zephyr RTOS is vulnerable to an out-of-bounds write during the Service Level Connection setup. In particular, the problem arises when the Hands-Free device sends a command that causes the parser to process an excessive number of entries, thus exceeding the bounds of the allocated array. This vulnerability allows a malicious remote Bluetooth device to exploit the system by sending a malformed AT response, leading to memory corruption, potentially affecting adjacent structures, and causing denial of service without requiring user interaction. Mitigation steps involve implementing bounds checks to ensure the index remains within the permissible limit.

Affected Version(s)

zephyr 1.7.0 < 4.5.0

References

https://github.com/zephyrproject-rtos/zephyr/commit/cf769...

patch

https://github.com/zephyrproject-rtos/zephyr/security/adv...

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-10641 Data

JSON