CVE Catalog

CVE-2026-10593

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

In Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client, a NULL pointer dereference vulnerability exists. The unicast_client_ep_qos_state() function writes attacker-controlled QoS fields via the stream->qos pointer, which can be NULL when the stream is codec-configured but not added to a unicast group. A remote ASCS server can send a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is in Codec Configured state, causing a write through NULL and a crash (denial of service).

Risk Assessment

An attacker can remotely crash a Zephyr device by exploiting the missing QoS pointer validation in BAP notification handling. This leads to disruption of audio services and potentially the entire system.

Recommendation

Immediately update Zephyr to a version containing the fix (v4.4.1 or later). If updating is not possible, restrict trusted Bluetooth LE Audio connections to verified devices.

Original NVD description (English source)

The Zephyr Bluetooth LE Audio Basic Audio Profile (BAP) unicast client mishandles peer-supplied ASE state notifications. In unicast_client_ep_qos_state() (subsys/bluetooth/audio/bap_unicast_client.c), the handler writes attacker-controlled QoS fields (interval, framing, phy, sdu, rtn, latency, pd) through the stream-qos pointer with only a stream != NULL guard. stream-qos is NULL for any stream that has been codec-configured via bt_bap_stream_config() but not yet added to a unicast group (it is set only by unicast_group_add_stream()). A malicious or buggy remote ASCS server, to which the local device is connected as a BAP unicast client, can send a GATT notification announcing the ASE has entered the QoS Configured state while the local endpoint is still in the Codec Configured state — a transition the dispatcher explicitly permits — during that window, causing a write through a NULL pointer and a crash (denial of service). The data written is itself remote-controlled. The defect shipped in v4.3.0 and v4.4.0 (and earlier). The fix re-points all BAP QoS storage to the always-valid embedded ep-qos struct, eliminating the NULL dereference.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS