Vulnerability Details CVE-2026-10651
A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an additional byte for the value type without verifying that the byte is present. A truncated 3-byte attribute (for example 09 00 09) therefore reaches net_buf_simple_pull() with insufficient remaining length, triggering the __ASSERT_NO_MSG(buf->len >= len) check and a kernel panic in assert-enabled builds (denial of service). In builds where assertions are disabled, parsing may continue past the end of the available buffer, leading to an out-of-bounds read and undefined behavior.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 6.7%
CVSS Severity
CVSS v3 Score 7.1
Products affected by CVE-2026-10651
-
cpe:2.3:o:zephyrproject:zephyr:-
-
cpe:2.3:o:zephyrproject:zephyr:1.0.0
-
cpe:2.3:o:zephyrproject:zephyr:1.1.0
-
cpe:2.3:o:zephyrproject:zephyr:1.10.0
-
cpe:2.3:o:zephyrproject:zephyr:1.11.0
-
cpe:2.3:o:zephyrproject:zephyr:1.12.0
-
cpe:2.3:o:zephyrproject:zephyr:1.13.0
-
cpe:2.3:o:zephyrproject:zephyr:1.14.0
-
cpe:2.3:o:zephyrproject:zephyr:1.14.1
-
cpe:2.3:o:zephyrproject:zephyr:1.14.2
-
cpe:2.3:o:zephyrproject:zephyr:1.14.3
-
cpe:2.3:o:zephyrproject:zephyr:1.2.0
-
cpe:2.3:o:zephyrproject:zephyr:1.3.0
-
cpe:2.3:o:zephyrproject:zephyr:1.4.0
-
cpe:2.3:o:zephyrproject:zephyr:1.5.0
-
cpe:2.3:o:zephyrproject:zephyr:1.6.0
-
cpe:2.3:o:zephyrproject:zephyr:1.6.1
-
cpe:2.3:o:zephyrproject:zephyr:1.6.99
-
cpe:2.3:o:zephyrproject:zephyr:1.7.0
-
cpe:2.3:o:zephyrproject:zephyr:1.7.1
-
cpe:2.3:o:zephyrproject:zephyr:1.7.99
-
cpe:2.3:o:zephyrproject:zephyr:1.8.0
-
cpe:2.3:o:zephyrproject:zephyr:1.8.99
-
cpe:2.3:o:zephyrproject:zephyr:1.9.0
-
cpe:2.3:o:zephyrproject:zephyr:1.9.1
-
cpe:2.3:o:zephyrproject:zephyr:1.9.2
-
cpe:2.3:o:zephyrproject:zephyr:2.0.0
-
cpe:2.3:o:zephyrproject:zephyr:2.1.0
-
cpe:2.3:o:zephyrproject:zephyr:2.2.0
-
cpe:2.3:o:zephyrproject:zephyr:2.3.0
-
cpe:2.3:o:zephyrproject:zephyr:2.4.0
-
cpe:2.3:o:zephyrproject:zephyr:2.5.0
-
cpe:2.3:o:zephyrproject:zephyr:2.5.1
-
cpe:2.3:o:zephyrproject:zephyr:2.6.0
-
cpe:2.3:o:zephyrproject:zephyr:2.6.1
-
cpe:2.3:o:zephyrproject:zephyr:2.7.0
-
cpe:2.3:o:zephyrproject:zephyr:2.79.0
-
cpe:2.3:o:zephyrproject:zephyr:2.8.0
-
cpe:2.3:o:zephyrproject:zephyr:2.81.0
-
cpe:2.3:o:zephyrproject:zephyr:2.82.0
-
cpe:2.3:o:zephyrproject:zephyr:2.83.0
-
cpe:2.3:o:zephyrproject:zephyr:2.84.0
-
cpe:2.3:o:zephyrproject:zephyr:2.85.0
-
cpe:2.3:o:zephyrproject:zephyr:2.86.0
-
cpe:2.3:o:zephyrproject:zephyr:2.87.0
-
cpe:2.3:o:zephyrproject:zephyr:2.88.0
-
cpe:2.3:o:zephyrproject:zephyr:2.89.0
-
cpe:2.3:o:zephyrproject:zephyr:2.90.0
-
cpe:2.3:o:zephyrproject:zephyr:2.91.0
-
cpe:2.3:o:zephyrproject:zephyr:2.92.0
-
cpe:2.3:o:zephyrproject:zephyr:2.93.0
-
cpe:2.3:o:zephyrproject:zephyr:2.94.0
-
cpe:2.3:o:zephyrproject:zephyr:2.95.0
-
cpe:2.3:o:zephyrproject:zephyr:3.0.0
-
cpe:2.3:o:zephyrproject:zephyr:3.0.1
-
cpe:2.3:o:zephyrproject:zephyr:3.1.0
-
cpe:2.3:o:zephyrproject:zephyr:3.2.0
-
cpe:2.3:o:zephyrproject:zephyr:3.2.01
-
cpe:2.3:o:zephyrproject:zephyr:3.2.1
-
cpe:2.3:o:zephyrproject:zephyr:3.2.31
-
cpe:2.3:o:zephyrproject:zephyr:3.2.40
-
cpe:2.3:o:zephyrproject:zephyr:3.2.41
-
cpe:2.3:o:zephyrproject:zephyr:3.3.0
-
cpe:2.3:o:zephyrproject:zephyr:3.4.0
-
cpe:2.3:o:zephyrproject:zephyr:3.5.0
-
cpe:2.3:o:zephyrproject:zephyr:3.6.0
-
cpe:2.3:o:zephyrproject:zephyr:3.7.0
-
cpe:2.3:o:zephyrproject:zephyr:3.7.1
-
cpe:2.3:o:zephyrproject:zephyr:3.7.2
-
cpe:2.3:o:zephyrproject:zephyr:4.0.0
-
cpe:2.3:o:zephyrproject:zephyr:4.1.0
-
cpe:2.3:o:zephyrproject:zephyr:4.2.0
-
cpe:2.3:o:zephyrproject:zephyr:4.2.1
-
cpe:2.3:o:zephyrproject:zephyr:4.3.0
-
cpe:2.3:o:zephyrproject:zephyr:4.3.1
-
cpe:2.3:o:zephyrproject:zephyr:4.4.0
-
cpe:2.3:o:zephyrproject:zephyr:4.4.1