CVE Catalog

CVE-2026-5589

MediumCVSS 6.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

12th percentile - higher than 12% of all known CVEs

Summary

An integer underflow in bt_mesh_sol_recv() in the Zephyr Bluetooth Mesh stack leads to an out-of-bounds write. A nearby BLE attacker can send a crafted advertisement packet to trigger denial of service or potentially arbitrary code execution without pairing.

Risk Assessment

The risk includes remote denial of service (DoS) or remote code execution (RCE) on devices with CONFIG_BT_MESH_OD_PRIV_PROXY_SRV enabled, with no prior association required.

Recommendation

Update the Bluetooth Mesh stack to a patched version immediately. If not possible, disable CONFIG_BT_MESH_OD_PRIV_PROXY_SRV.

Original NVD description (English source)

An integer underflow in bt_mesh_sol_recv() in the Bluetooth Mesh solicitation handling (subsys/bluetooth/mesh/solicitation.c) leads to an out-of-bounds write. When CONFIG_BT_MESH_OD_PRIV_PROXY_SRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an attacker-controlled length byte (reported_len) and computes reported_len - 3 without checking that reported_len >= 3. When reported_len is less than 3, the subtraction is performed in signed int arithmetic and yields a negative value that bypasses the length guard and is then implicitly converted to a very large size_t when passed to net_buf_simple_pull_mem(). In builds without assertions, this wraps the buffer length and advances the data pointer far out of bounds, so subsequent reads dereference invalid memory. A nearby BLE device can trigger this with a non-connectable advertisement carrying a UUID16 AD structure and a crafted length byte, with no pairing or prior association required, potentially leading to denial of service or arbitrary code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS